14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /.git/config
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.git/config UA Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Ge…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 64
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0198
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.git/config
Ligne de requête
GET /.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.29 Safari/537.36 OPR/15.0.1147.24 (Edition Next)
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET /.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.29 Safari/537.36 OPR/15.0.1147.24 (Edition Next) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "git\/config",
"http_ua_hash": "280ff1555894151b2939b8bc8b8e617c54a15bce",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 264,
"payload_entropy": 5.4196675119333735,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 64,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "51df23e590af6cdad817cf0e7d3d79b551a5f585",
"event_fingerprint": "73da66494df36937fe7987e6262818d2336d4406",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0198"
],
"matched_pattern_names": [
"Probe \/.git\/config"
],
"pattern_ids": [
"pat-0198"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "364ab514bc3302dc8d8170f14412bb2d",
"payload_hash": "e9109c635fa963848a22282cb4f9268c",
"path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko",
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1500.29 Safari\/537.36 OPR\/15.0.1147.24 (Edition Next)",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1500.29 Safari\/537.36 OPR\/15.0.1147.24 (Edition Next)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1500.29 Safari\/537.36 OPR\/15.0.1147.24 (Edition Next)",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1500.29 Safari\/537.36 OPR\/15.0.1147.24 (Edition Next)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "311f631627896d2b34eee8af7e460df4d30624fa",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1500.29 Safari\/537.36 OPR\/15.0.1147.24 \u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0198",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0198",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1500.29 Safari\/537.36 OPR\/15.0.1147.24 \u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.git\/config",
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_git",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /src/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /src/.git/config UA Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KHT…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/src/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/src/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /src/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /src/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KH
Requête brute (extrait)
GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-G710) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "037e9abc42a82ef1a94f841c07b1a59f1ed4585d",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "46e050e820087702ef14a381ebad48881db62e31",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 255,
"payload_entropy": 5.386920843826895,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "8980e547038573e5e20b0e6076de4087eabbaaa8",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f79dba3aa5259b10202f37bcd96f3d47",
"payload_hash": "8f42a78bec55568615d85f3bf29dff38",
"path_pattern_hash": "83762003e224a5603ed7ad8ff32c59fc"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KH",
"method": "GET",
"path": "\/src\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KH",
"evidence": {
"method": "GET",
"path": "\/src\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KH",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e1237eecb554269ad3d52ee1d3c2fe13abeb6baa",
"protocol_details": {
"http_method": "GET",
"http_path": "\/src\/.git\/config",
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KH",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/src\/.git\/config",
"request_line": "GET \/src\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/.git\/config",
"evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-G710) AppleWebKit\/537.36 (KH",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /app/.git/config
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.git/config UA SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Co…
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/app/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/app/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 64
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.git/config HTTP/1.1
User-Agent
SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /app/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 C
Requête brute (extrait)
GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: SonyEricssonK810i/R1KG Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "62e5955585854c43724ee6953fa255f665a91654",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "c0d576333b61f38bb5785040d2824435407a4c84",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.236730438018546,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 64,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "7c545d869d3b67d2e9125b3637b55eeb3c27c16b",
"event_fingerprint": "6f2421b9db56e266eedfe6a0fe67da8a3ed824d6",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "6e2a82c2ef3e04dabf7e19a3959e8b83",
"payload_hash": "18ac40d63d0c4c4f1815615b5fc908bb",
"path_pattern_hash": "87d63e686c8d80bd28afc993649c7598"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 C",
"method": "GET",
"path": "\/app\/.git\/config",
"user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 C",
"evidence": {
"method": "GET",
"path": "\/app\/.git\/config",
"user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 C",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "836b1176126ec40d0e442714dc0b718d9c932544",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.git\/config",
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 C",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.git\/config",
"request_line": "GET \/app\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.git\/config",
"evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonK810i\/R1KG Browser\/NetFront\/3.3 Profile\/MIDP-2.0 C",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /api/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.git/config UA Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) …
Émulateur
HTTP
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/api/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/api/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
k8s-api
Payload (extrait)
GET /api/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V)
Requête brute (extrait)
GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "e8c7024aa0a1fde083832602708a21268842c09c",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "4d60538c38eae0fe13cbc99a2ea3645cbb337669",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 277,
"payload_entropy": 5.424693515831043,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "55da376b658af2783c7594f12452e36908a980da",
"event_fingerprint": "27fbee207c1dd30cb273dc6091e35c32e28ae258",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4e806912151c12c6baafb6da3bab5ded",
"payload_hash": "4469bac4ecdab10bc33b7e38273904ca",
"path_pattern_hash": "3ed56f63a5d3aef03e8853abb49b3eea"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V)",
"method": "GET",
"path": "\/api\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0",
"k8s-api"
],
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n",
"payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V)",
"evidence": {
"method": "GET",
"path": "\/api\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0",
"k8s-api"
],
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\n",
"payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V)",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f642ae8087617c76ddf71979eb7a2a129020705a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.git\/config",
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V)",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.git\/config",
"request_line": "GET \/api\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.git\/config",
"evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V)",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"950600:k8s-api",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_api",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /backend/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.git/config UA Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) Apple…
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/backend/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/backend/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/3072 MicroMess…
Règles WAF
sqli-21
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /backend/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv)
Requête brute (extrait)
GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; MI 5 Build/MXB48T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/3
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "2ad97a32b094802429e8cd0cdb324fc946455262",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "2482ac6c987d570b89dfba6cfee3dc3ac194789d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 408,
"payload_entropy": 5.546730028319321,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "d763a61b53c7bd0674610fd89536930d6eae098f",
"event_fingerprint": "37b2498e291e37b05199c7d40b958a49919eb4b4",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "626a4dd1550738d3881c5021a33dce89",
"payload_hash": "4607aac24166bab702468bbb2d85d09f",
"path_pattern_hash": "2de751ea5a34e7a22b69004dc29faa62"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"method": "GET",
"path": "\/backend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI \u2026",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv)",
"evidence": {
"method": "GET",
"path": "\/backend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3072 MicroMessenger\/7.0.3.1400(0x2700033C) Process\/tools NetType\/WIFI \u2026",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/3",
"payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv)",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1adefd4b2c7b4ecfa46ebff774923406525910fb",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.git\/config",
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv)",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.git\/config",
"request_line": "GET \/backend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.git\/config",
"evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 5 Build\/MXB48T; wv)",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /frontend/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /frontend/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/frontend/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/frontend/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /frontend/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /frontend/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebK
Requête brute (extrait)
GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "7382b5f3b254c99a0d40bda7aefd386539e0be7a",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "79637aca3de7d81f8030ec893ab364d04845083c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 261,
"payload_entropy": 5.397056676035121,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "0ce274cf3bd3303154c0a11e1abb06cea5e5a109",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "6a2411e8c5387a0c6ebf7396c4178f0a",
"payload_hash": "97a927d066e4e2b33398ead68e710086",
"path_pattern_hash": "916bc8abf1fa018cce797ab5bdb418f0"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebK",
"method": "GET",
"path": "\/frontend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos",
"payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebK",
"evidence": {
"method": "GET",
"path": "\/frontend\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos",
"payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebK",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ba7328b694c4d25933d755badf9103487c4d66c4",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.git\/config",
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebK",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.git\/config",
"request_line": "GET \/frontend\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.git\/config",
"evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebK",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /v2/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v2/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v2/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/v2/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v2/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v2/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537
Requête brute (extrait)
GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "24cc4394b5ebc83542eafb6717ef25472c22cc34",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "3a5f2466c34928bb38a61b739c70bfc69a077a30",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 255,
"payload_entropy": 5.402002798532058,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "f0967262aa948c941b011a3492c5867cddfdba37",
"event_fingerprint": "aa8cd8a92033eee1dbdaa0e4ed700cde6eb8b75f",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b629577c1771fb3549c2cc5a5fe2c3d8",
"payload_hash": "bec069eb4b85c4042a6737df4bcad089",
"path_pattern_hash": "fcafe4006602b874bcf9d18118e88566"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537",
"method": "GET",
"path": "\/v2\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537",
"evidence": {
"method": "GET",
"path": "\/v2\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9cd20aed478e4f07d7beadc9ca3db3f8bd38dc0c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/.git\/config",
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/.git\/config",
"request_line": "GET \/v2\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.git\/config",
"evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit\/537",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /v3/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v3/.git/config UA Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit/537…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v3/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/v3/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v3/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v3/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit/537
Requête brute (extrait)
GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "a7105aaaf98fe6da91c9abe21402f0bad7abbf3d",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "4bf76a52a29633f52f17f2cac5ee4daa8e021adb",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 262,
"payload_entropy": 5.394867770077806,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "f0967262aa948c941b011a3492c5867cddfdba37",
"event_fingerprint": "c96a9b74a39a8aee1e100e864e25785292a23a92",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c3ad43cf0b9fc735bad09bffdf4e8da2",
"payload_hash": "8c235207ee89b7cb56c52602b838c7a7",
"path_pattern_hash": "4562786c79a4c5f0790c3581071f5847"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537",
"method": "GET",
"path": "\/v3\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537",
"evidence": {
"method": "GET",
"path": "\/v3\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ea459c1409496bd01c6fe2efa7eeac7898fe0f94",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v3\/.git\/config",
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safa\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v3\/.git\/config",
"request_line": "GET \/v3\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safa\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.git\/config",
"evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; Neffos C5 Max) AppleWebKit\/537",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /web/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /web/.git/config UA Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 (KHT…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/web/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/web/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /web/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /web/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 (KH
Requête brute (extrait)
GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "67c8b2cdd0103f2eef5b862b331fac8e4ba2a174",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "f32c2ab0d87a20f2415a1cf44997c48739d87917",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 255,
"payload_entropy": 5.427107474670362,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "103fd179152d57b286ece4178b2b0055c67ce10e",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6a305be7ce9a4e4b307900ac4a529b5",
"payload_hash": "ff54acd813287fb6de6ae6564bf590d8",
"path_pattern_hash": "2be87edfa036da6580e700b188114b92"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KH",
"method": "GET",
"path": "\/web\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KH",
"evidence": {
"method": "GET",
"path": "\/web\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KH",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "24dabe18177c4faa83737c2a52a97d62eb534c0e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web\/.git\/config",
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KH",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web\/.git\/config",
"request_line": "GET \/web\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web\/.git\/config",
"evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KH",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /html/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /html/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/html/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/html/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /html/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /html/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/
Requête brute (extrait)
GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "811a3b91bb40374fbc4d8ea91a8988128723fdc2",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "ed148acba970ce3061829b4dd97608d1a6997773",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 219,
"payload_entropy": 5.245554411716074,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "756224d9be5b1105a072771af5b95f39748d4649",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "75429bbe013e57ff9dc4da0881c45385",
"payload_hash": "0f5359b2cb9865d67b957cbd83cca711",
"path_pattern_hash": "985e825857a4aae20b7bcc62b05870c4"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/",
"method": "GET",
"path": "\/html\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/",
"evidence": {
"method": "GET",
"path": "\/html\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "faf385bb398002cc0e562161e7e12a19c5e8d52c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/html\/.git\/config",
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/html\/.git\/config",
"request_line": "GET \/html\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/html\/.git\/config",
"evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /www/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /www/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/www/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/www/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /www/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /www/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/53
Requête brute (extrait)
GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.145 Safari/537.36 Vivaldi/2.6.1566.49 Accept-Charset: utf-8 Accept-Encoding: gzip C
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "45da61517a0c59230b18cc2e7e3fa1bf75fcdcf0",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "7b5c6d1b9506a8d5fe958dbcf1ffdcdd61f34f9e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 276,
"payload_entropy": 5.457963082364159,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "ea918a098544dec465f8c7706669d1697b5fd74a",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "26153561427cb0ae35fb4f15e24a7268",
"payload_hash": "f82a2a37d20a5993f027f95855a74ba4",
"path_pattern_hash": "2067f182832f5bbc5f3205656471af53"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53",
"method": "GET",
"path": "\/www\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC",
"payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53",
"evidence": {
"method": "GET",
"path": "\/www\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.36 Vivaldi\/2.6.1566.49\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC",
"payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e8dadabb883968f7ea8c37f458e9df970999fe74",
"protocol_details": {
"http_method": "GET",
"http_path": "\/www\/.git\/config",
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/www\/.git\/config",
"request_line": "GET \/www\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.145 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/www\/.git\/config",
"evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /v1/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /v1/.git/config UA Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (K…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v1/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/v1/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v1/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT
Règles WAF
lfi-14
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /v1/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (K
Requête brute (extrait)
GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/3.9174IT Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "2e3941afe9af64acac6b04d5776247677ae92839",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "852e68c3e2549d34d36a9b5a3605571990e68c97",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.466270053603857,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "f0967262aa948c941b011a3492c5867cddfdba37",
"event_fingerprint": "10e27514a35f47fdd0504ab70cfb14eeba56669e",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "eee9483cf6c6beee1c699d123688fba5",
"payload_hash": "c484036213e79a97f23ff3888fa443a2",
"path_pattern_hash": "0efea7c22b821f254abb056b9239c5c5"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (K",
"method": "GET",
"path": "\/v1\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/3.9174IT",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/3.9174IT\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (K",
"evidence": {
"method": "GET",
"path": "\/v1\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/3.9174IT",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/3.9174IT\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (K",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "de461744b26c42865a4c35faaeed1b575226b488",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v1\/.git\/config",
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffi\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (K",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v1\/.git\/config",
"request_line": "GET \/v1\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffi\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.git\/config",
"evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-AU) AppleWebKit\/534.35 (K",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /static/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /static/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/static/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/static/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /static/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /static/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit
Requête brute (extrait)
GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "9bb0c860e00cb48c94d658e155063f950c3d9fa5",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "521a53c26ae63c9f634cf4a8753a3e9a31c14380",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 257,
"payload_entropy": 5.3084360701114655,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "2fdf4917c21a2806a136bb1a69d74e43b5439ec7",
"event_fingerprint": "1aa71e03fb58f043d2527451aab305ccc40d7ad7",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c7b34d5fd360325ba4d502a7fece9657",
"payload_hash": "48a22c7fffd285c0deb88cf27f626932",
"path_pattern_hash": "8991b5397bf20ed66988d72bf753894a"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"method": "GET",
"path": "\/static\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/static\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0c669f06268ed79e6f9f918503588b5c9ce5388e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/static\/.git\/config",
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/static\/.git\/config",
"request_line": "GET \/static\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/.git\/config",
"evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_static",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /public/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /public/.git/config UA Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/public/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/public/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /public/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 VivoBrowser/5.8.0.10
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /public/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019;
Requête brute (extrait)
GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; vivo 1802 Build/O11019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 VivoBrowser/5.8.0.10 Accept-Charset: utf-8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "915547fcc5e696789d649d2cafc71faeb847099b",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "8257582ae447b9a2124e0414764cac0aac8808de",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 301,
"payload_entropy": 5.441839946136086,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "1755a5cdf528e437020f60b6304da2c7822a0aa9",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8702e458ea5871d79ff9b7c48fa7d332",
"payload_hash": "169e08e218118b426b1f2e8e45c91d70",
"path_pattern_hash": "78b85c05b86f9869fecb7907511b414c"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; ",
"method": "GET",
"path": "\/public\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10\r\nAccept-Charset: utf-8\r",
"payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019;",
"evidence": {
"method": "GET",
"path": "\/public\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.84 Mobile Safari\/537.36 VivoBrowser\/5.8.0.10\r\nAccept-Charset: utf-8\r",
"payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019;",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "74d069e7df32f807ae7e65996384bbdb27acf648",
"protocol_details": {
"http_method": "GET",
"http_path": "\/public\/.git\/config",
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019;",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/public\/.git\/config",
"request_line": "GET \/public\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/public\/.git\/config",
"evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1802 Build\/O11019;",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /htdocs/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /htdocs/.git/config UA Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Tride…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/htdocs/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/htdocs/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /htdocs/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /htdocs/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; T
Requête brute (extrait)
GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7) Accept-Charset: utf-8 Accept-Encoding: gzip Connec
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "2574f6779238eef81e21ff1eff1a0eb6ed50a74d",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "91751256d60394a8b0340bb86ad1a8313b8dadfa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 271,
"payload_entropy": 5.352533855726112,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "c66610e4b279b5ec6ed5f55b709f8d800f350b17",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8c37cfff6bf66cd07066db5458c2b066",
"payload_hash": "b1819fca6fffd7c98d483ec2232e9605",
"path_pattern_hash": "9d5b4b02a118c63f9864fb4303c2c2fa"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; T",
"method": "GET",
"path": "\/htdocs\/.git\/config",
"user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; T",
"evidence": {
"method": "GET",
"path": "\/htdocs\/.git\/config",
"user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec",
"payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; T",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8c0cc758614bf556b2a21a2c328e5b6694123e0e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/htdocs\/.git\/config",
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC L\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; T",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/htdocs\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/htdocs\/.git\/config",
"request_line": "GET \/htdocs\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC L\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/htdocs\/.git\/config",
"evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; T",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /assets/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /assets/.git/config UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/assets/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/assets/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /assets/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /assets/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KH
Requête brute (extrait)
GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "22df29a4de1fd38c87dcec09e37f285d6da07f99",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "e81ca9a0554d6690b053d3acc558b05833b1c696",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 248,
"payload_entropy": 5.39346913616542,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "3c5e63c95ecf04596bcd0960a3b87d8cb652ba72",
"event_fingerprint": "4e5b7a716a24f159787c7025ab84135a51054dda",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "3bf471692ec50211bc6c14c122424bcd",
"payload_hash": "06bd805ada1ee80de271807c4634ab81",
"path_pattern_hash": "70c13b709566f458c71892575aa001e0"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH",
"method": "GET",
"path": "\/assets\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH",
"evidence": {
"method": "GET",
"path": "\/assets\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "211458e6ea127fb40cdd6d42b356a6d32b4af3cc",
"protocol_details": {
"http_method": "GET",
"http_path": "\/assets\/.git\/config",
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/assets\/.git\/config",
"request_line": "GET \/assets\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/.git\/config",
"evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_assets",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /build/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /build/.git/config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML li…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/build/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/build/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /build/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /build/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML
Requête brute (extrait)
GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML like Gecko) Maxthon/4.0.0.2000 Chrome/22.0.1229.79 Safari/537.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "01598dc831cf10ebdee7ca57e3270c55d78fcb97",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "6aeebdefc1a7f3903e2f068a42149eb080915c7b",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 261,
"payload_entropy": 5.4120010147394755,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "86a2fbcc884065637e5181d5f550b3a073f5afa6",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "52ba95047eaa23df0f7bdeeeb3fb8391",
"payload_hash": "333189216adbe8e4378a33ebaf968c97",
"path_pattern_hash": "203627ae3f02d834b42dc778d4676888"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML",
"method": "GET",
"path": "\/build\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos",
"payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML",
"evidence": {
"method": "GET",
"path": "\/build\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/537.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos",
"payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4d410dce414b8e120fb68889eaf4047e97ac822a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/build\/.git\/config",
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/build\/.git\/config",
"request_line": "GET \/build\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML like Gecko) Maxthon\/4.0.0.2000 Chrome\/22.0.1229.79 Safari\/\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/build\/.git\/config",
"evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.1 (KHTML",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /admin/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /admin/.git/config UA Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/admin/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/admin/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
ET Magento admin
ES admin GET
ActiveMQ console
Ligne de requête
GET /admin/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /admin/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/60
Requête brute (extrait)
GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "fd84c72d69faf33df573dcd0340e5a121c99ab2d",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "0d4fda54689ca91aa1cd9ce83cd7fe814ab26468",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 269,
"payload_entropy": 5.401795973553595,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 11,
"anomaly_count": 0,
"campaign_key": "edacefd568ce7b4375d0feb6cb83f27d175c84a3",
"event_fingerprint": "8a6d244352b55761300c842df115f23fd4036630",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"matched_pattern_names": [
"ET Magento admin",
"ES admin GET",
"ActiveMQ console"
],
"pattern_ids": [
"pat-0854",
"pat-0341",
"pat-0606"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f5bf208ca505ba301b62dd806f861235",
"payload_hash": "8b88f185d737c5f749b61deae26202e7",
"path_pattern_hash": "b0ac58c50c927a70e841faaa3da36222"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"method": "GET",
"path": "\/admin\/.git\/config",
"user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/60",
"evidence": {
"method": "GET",
"path": "\/admin\/.git\/config",
"user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/60",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0edf60f8ed1cb30c66f16d1400257e3d14d76640",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.git\/config",
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/60",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/admin\/.git\/config",
"request_line": "GET \/admin\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/.git\/config",
"evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/60",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_admin_panel_probe",
"http_admin_panel_scan",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_admin",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /dist/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /dist/.git/config UA Mozilla/5.0 (X11; FreeBSD i386; rv:28.0) Gecko/20100101 Firefox…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/dist/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/dist/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /dist/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; FreeBSD i386; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /dist/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:28.0) Gecko/20100101 Firef
Requête brute (extrait)
GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "e682abd34aab1e40793d7487f59bd043d2dd33ae",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "b2ec2395164738dbd60ce81f264be6255104bfff",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 219,
"payload_entropy": 5.289238642227739,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "4b2440fa4fb1906b7e3dda951511b13b2fe3f4c1",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c41830aceeb8f1c50acce6c50c3af66e",
"payload_hash": "91ed26bfafe3c4db8e872958a18eb2db",
"path_pattern_hash": "dd1606cd54dc95eed2c024184678427e"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firef",
"method": "GET",
"path": "\/dist\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firef",
"evidence": {
"method": "GET",
"path": "\/dist\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firef",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5f3f384675c8224fcc0634172aec5a95f94fa42b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dist\/.git\/config",
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firef",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dist\/.git\/config",
"request_line": "GET \/dist\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firefox\/28.0 SeaMonkey\/2.25",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/.git\/config",
"evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD i386; rv:28.0) Gecko\/20100101 Firef",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /dashboard/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /dashboard/.git/config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/dashboard/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/dashboard/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /dashboard/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.3.172 Yowser/2.5 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /dashboard/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (
Requête brute (extrait)
GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.3.172 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: g
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "843826985604d07c966861fd7b6f38fd550e66f6",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "8e8dab3e424b71a244774110fadcc774ba40fa59",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 282,
"payload_entropy": 5.4398936269003055,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "891630988ef39b23430c6407543e5b128c3d168f",
"event_fingerprint": "91e4a45e054f9274d2b77554e5b0d11f8e87ac70",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ff0a275ce4a567dd0e86c420c96ff2e2",
"payload_hash": "370814180ed0bcba9bb2dc36a7a7035d",
"path_pattern_hash": "33b0aba70ccc7970e9e866f8e50aaddb"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (",
"method": "GET",
"path": "\/dashboard\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (",
"evidence": {
"method": "GET",
"path": "\/dashboard\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b32b6e1283e8663ea650c1d30080c853aff91647",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dashboard\/.git\/config",
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yo\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dashboard\/.git\/config",
"request_line": "GET \/dashboard\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.3.172 Yo\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dashboard\/.git\/config",
"evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_traefik",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /portal/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /portal/.git/config UA Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML l…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/portal/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/portal/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /portal/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /portal/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHT
Requête brute (extrait)
GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/28.0.1469.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "b96c617ee8708989ced0612febef74987bfccfb1",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "c6c2b01731ed2b569c9ab907e9a96206a2cfc6cc",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 244,
"payload_entropy": 5.397464043300654,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "079d395add16920c1be6cdf28b1898ac1f0587bb",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "58a41cb52a36d2d2b1eb00034aea59c6",
"payload_hash": "028f17576695d28c453203e8120c74d2",
"path_pattern_hash": "b68e69ddda3386f78de437bb71fa9236"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHT",
"method": "GET",
"path": "\/portal\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHT",
"evidence": {
"method": "GET",
"path": "\/portal\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHT",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "23384a691ad662277323c30011a10e213fd73b6c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.git\/config",
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHT",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.git\/config",
"request_line": "GET \/portal\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/28.0.1469.0 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.git\/config",
"evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHT",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /blog/.git/config
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /blog/.git/config UA SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 …
Émulateur
HTTP
WAF
20
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/blog/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/blog/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 64
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /blog/.git/config HTTP/1.1
User-Agent
SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0
Règles WAF
nosqli-3
leak-0
Payload (extrait)
GET /blog/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.
Requête brute (extrait)
GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: SonyEricssonZ800/R1Y Browser/SEMC-Browser/4.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "3f29025821b3a94eaa79a10f577739f1a7d267f6",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "1813dede65bdf71d338345f47e16a42344128e28",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 239,
"payload_entropy": 5.285106028490125,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 88,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 64,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "7c545d869d3b67d2e9125b3637b55eeb3c27c16b",
"event_fingerprint": "a0f42c634a5d6aaa8aeb0ea75621d8c46e394d63",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8189347f53da54fe3964a69ee13bbe99",
"payload_hash": "ff041e925b5963dde4a0fb4a4246ff07",
"path_pattern_hash": "daa6f35b77a4b5cee3d40cc9dc6869ad"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.",
"method": "GET",
"path": "\/blog\/.git\/config",
"user_agent": "SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.",
"evidence": {
"method": "GET",
"path": "\/blog\/.git\/config",
"user_agent": "SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"nosqli-3",
"leak-0"
],
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2796c9331b98bf5f30ed96e3e5df3ee4018c34c9",
"protocol_details": {
"http_method": "GET",
"http_path": "\/blog\/.git\/config",
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/blog\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 88,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/blog\/.git\/config",
"request_line": "GET \/blog\/.git\/config HTTP\/1.1",
"http_user_agent": "SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/blog\/.git\/config",
"evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: SonyEricssonZ800\/R1Y Browser\/SEMC-Browser\/4.1 Profile\/MIDP-2.",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /shop/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /shop/.git/config UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/shop/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/shop/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /shop/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /shop/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li
Requête brute (extrait)
GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "3ccd4eed62472b12534dd91a4e4a3b0ab7d03350",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "802d0aecf0b84c68ef00c159917e7dd44f6dfd34",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 241,
"payload_entropy": 5.43933921974842,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "5846b6b089eb354a393321d17423e98dd87d94da",
"event_fingerprint": "4274864a4d51405daac72e7884f8a81b273fcf80",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e0380f369210706b00a6b0e3ede6f7d9",
"payload_hash": "5cd74d05bf287dbf422e5775b3d53a81",
"path_pattern_hash": "6603e8dbaffaf78a6758aff077d9de4a"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li",
"method": "GET",
"path": "\/shop\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li",
"evidence": {
"method": "GET",
"path": "\/shop\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2803922fdd1c1a22c0c26a1e92b3b3374a1cccff",
"protocol_details": {
"http_method": "GET",
"http_path": "\/shop\/.git\/config",
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/shop\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/shop\/.git\/config",
"request_line": "GET \/shop\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/shop\/.git\/config",
"evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_shop",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /wordpress/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /wordpress/.git/config UA Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleW…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/wordpress/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/wordpress/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /wordpress/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /wordpress/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X)
Requête brute (extrait)
GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D60 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip C
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "3a9bcdd3dc2905bd8ddd2bff52683409793493aa",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "466d1ef9599315e8ea185d729b1bb7f4ef3f3e3e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 276,
"payload_entropy": 5.379296572164258,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "d2e8073eda931ba083aaa3874b4117ffcbd8b654",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "577b9f58c4e51138d6e0cd22cf64da14",
"payload_hash": "b1bed0ed160dfe18218fa476205040bd",
"path_pattern_hash": "065fde2a84971d9e936ccb4d03006f9c"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X)",
"method": "GET",
"path": "\/wordpress\/.git\/config",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC",
"payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X)",
"evidence": {
"method": "GET",
"path": "\/wordpress\/.git\/config",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15D60 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC",
"payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X)",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c57563cff8dfd4584a50a1d24b8f774d579d2d58",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wordpress\/.git\/config",
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X)",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wordpress\/.git\/config",
"request_line": "GET \/wordpress\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X) AppleWebKit\/604.5.6 (KHTML, like Gecko) Version\/11.0 Mobile\/15\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wordpress\/.git\/config",
"evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_2_5 like Mac OS X)",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /wp-content/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /wp-content/.git/config UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/wp-content/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/wp-content/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /wp-content/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /wp-content/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5
Requête brute (extrait)
GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "73edb8ff973d8351887c5542b00d315359c1733f",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "1cbb6121d6675be288abb212d6a93556d924de3d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 266,
"payload_entropy": 5.3930861537593895,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "28d02be497a029007319bf7ee9082b42d8030c7a",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "08c8f275680a86d282b86034497f56b8",
"payload_hash": "f54cbc10410c86d18fefd290360f0e99",
"path_pattern_hash": "653b421a6e10a22436e18cc595f6a1ee"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5",
"method": "GET",
"path": "\/wp-content\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:",
"payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5",
"evidence": {
"method": "GET",
"path": "\/wp-content\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:",
"payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b78c17a06d6a42295c025b1ba3d71a166e500cc6",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-content\/.git\/config",
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-content\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-content\/.git\/config",
"request_line": "GET \/wp-content\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/39.0.2171.71 Safari\/537.36 Edge\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-content\/.git\/config",
"evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /site/.git/config
Élevée
Critique · 85
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /site/.git/config UA Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; M…
Émulateur
HTTP
WAF
21
Recommandation
Bloquer (recommandé)
Tags
950326:rce-0
950468:nosqli-3
950513:leak-0
http_backup_file_scan
Cible HTTP
GET
/site/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/site/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Critique
· 85
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /site/.git/config HTTP/1.1
User-Agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /site/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12;
Requête brute (extrait)
GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "5ed7c912ed52acb29257c5860cda44c67e6f6bd2",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "99d75e39037b11054e155a03133c80282ea1c965",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 219,
"payload_entropy": 5.267906244710162,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 85,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "43d2bab9f4c1cbab3b3a40194975b5b871c7a809",
"event_fingerprint": "af5590b162f8f411626455abec7f7af81b1508e5",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 85,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "084d7468348ca89606dd789f11043b60",
"payload_hash": "0780afce9d902af792b56af72fa9d25a",
"path_pattern_hash": "6901c63c2daa99b93d9d7c027371b852"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 85
},
"payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12;",
"method": "GET",
"path": "\/site\/.git\/config",
"user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12;",
"evidence": {
"method": "GET",
"path": "\/site\/.git\/config",
"user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12;",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "block",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "03ba87c527d5301d3fd1bf2245bc6ecd78bd6b3c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/site\/.git\/config",
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12;",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/site\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 85\/100 (Critique) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 85,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 85,
"risk_label": "Critique",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "block",
"recommended_action_label": "Bloquer (recommand\u00e9)",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/site\/.git\/config",
"request_line": "GET \/site\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; Microsoft ZuneHD 4.3)",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/site\/.git\/config",
"evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12;",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_block",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_metasploit_ua",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /laravel/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /laravel/.git/config UA Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/200…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/laravel/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/laravel/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /laravel/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091107 Firefox/3.5.5
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /laravel/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Geck
Requête brute (extrait)
GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091107 Firefox/3.5.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "640981339f0da42dabf9def6c21cb59e45682a0a",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "ff65c052e15f784544b91aafeff8e6c3f996fc2a",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 221,
"payload_entropy": 5.347185628410603,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "1ddb692d2ae3b1adb2d904ebb87330b78f8b5356",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5f33db2f27e5b8d7c229c71038b3ce71",
"payload_hash": "56208a5e75dd09293d88d29d58b181b1",
"path_pattern_hash": "3a3de1279fd8fe4dc4799f8620f7768e"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Geck",
"method": "GET",
"path": "\/laravel\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko\/20091107 Firefox\/3.5.5",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko\/20091107 Firefox\/3.5.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Geck",
"evidence": {
"method": "GET",
"path": "\/laravel\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko\/20091107 Firefox\/3.5.5",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko\/20091107 Firefox\/3.5.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Geck",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c78a6f637b6cd41e971a390efff3f3b8fe0be30d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.git\/config",
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko\/20091107 Firefox\/3.5.5",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Geck",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/laravel\/.git\/config",
"request_line": "GET \/laravel\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko\/20091107 Firefox\/3.5.5",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel\/.git\/config",
"evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Geck",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /code/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /code/.git/config UA Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/code/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/code/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /code/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /code/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.3
Requête brute (extrait)
GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "c22b811f6079d1008094695c3038cc31be7f2962",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "538da175681b2052ab512cad0fb3bd57e81adff0",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.388891033897593,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "ef9ad4a8c7a827bb55f9f87e782f821c8d6b96ef",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4cd92407b05ac14d5924946547680140",
"payload_hash": "72c38c931c4970b52325c8365ae3f92f",
"path_pattern_hash": "dda1558dfc88b8ae947dda6da613b7f7"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.3",
"method": "GET",
"path": "\/code\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.3",
"evidence": {
"method": "GET",
"path": "\/code\/.git\/config",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.3",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6cb0ead40f38d54981cb3a1dae1f336c5acbbcd2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/code\/.git\/config",
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.3",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/code\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/code\/.git\/config",
"request_line": "GET \/code\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/code\/.git\/config",
"evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; BLA-L29) AppleWebKit\/537.3",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /project/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /project/.git/config UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/project/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/project/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /project/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /project/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.
Requête brute (extrait)
GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "cf8bf968aa349942c116d0a4c20de363d89efceb",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "68976db99265042d7b0c3b91df3fbefc1a56cd37",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 254,
"payload_entropy": 5.419236847907842,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "9e9f078b35513adb0bfd314cbaf3abf6ef844745",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c306ed4af400e8831cd8243025857d62",
"payload_hash": "8cc575d0fe092e43ebb9e7013866c7db",
"path_pattern_hash": "40d5006de80bb36cea868dfbe43c4ff0"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.",
"method": "GET",
"path": "\/project\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.",
"evidence": {
"method": "GET",
"path": "\/project\/.git\/config",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0bf0da7417e1b7eea6b9c6d774ecabb6a287119f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/project\/.git\/config",
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/project\/.git\/config",
"request_line": "GET \/project\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/project\/.git\/config",
"evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:07 UTC
TCP
9002 · HTTP
Sonde fichier configuration
config file probe · via HTTP:9002 · (tentative d'exploit) · → /symfony/.git/config
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /symfony/.git/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950513:leak-0
Cible HTTP
GET
/symfony/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9002
Chemin / cible
/symfony/.git/config
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Protocole émulé
1 Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /symfony/.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-0
Payload (extrait)
GET /symfony/.git/config HTTP/1.1
Host: 62.3.50.33:9002
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi
Requête brute (extrait)
GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:9002 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "git\/config",
"http_ua_hash": "b61212a69dc817b83cb606daa166c8a2cbe8d77c",
"http_host_hash": "9eb77341d923bf850a12632119cec98177710a79",
"http_target_hash": "256775bfb3e8fd0855bebb6ef917cf83cff8a368",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.430273024250481,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "c85b4e2fb1320163d6cb4dac756dda22ebff4920",
"event_fingerprint": "e03d713d98e6125e180d5243d694b11d52e5d22b",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ee19a236baad72405498434a7b8f810e",
"payload_hash": "1d2777e3f7b0f7edc693e828a31bc366",
"path_pattern_hash": "8b0b254049cc28b88f641713d31106e0"
},
"target_context": {
"dst_port": 9002,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi",
"method": "GET",
"path": "\/symfony\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/symfony\/.git\/config",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b47c942be4d5d6d1b596bd67518a49f73b843d5a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/symfony\/.git\/config",
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/symfony\/.git\/config",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/symfony\/.git\/config",
"request_line": "GET \/symfony\/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026",
"port": 9002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:9002 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/symfony\/.git\/config",
"evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9002\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi",
"target_port_label": "9002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"minio-console"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_sensitive_path",
"net_web_probe"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
��������������w����ϼʟ�����繒k����P=�t�� ��/�����V!�x����+��1������O+�;���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������w����ϼʟ�����繒k����P=�t�� ��/�����V!�x����+��1������O+�;���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������w����ϼʟ�����繒k����P=�t�� ��/�����V!�x����+��1������O+�;���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� N�iмwpP�D�M�D%5 $'�. ��)G���G�!
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.784416557182581,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "18c24d4f619bb5aff455747d1a68cb38",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdw\u0010\ufffd\u0003\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\u0010\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0003V!\ufffdx\u0017\ufffd\ufffd\ufffd+\ufffd\u000e1\ufffd\u0011\u0005\ufffd\ufffd\u0013O+\ufffd;\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdw\u0010\ufffd\u0003\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\u0010\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0003V!\ufffdx\u0017\ufffd\ufffd\ufffd+\ufffd\u000e1\ufffd\u0011\u0005\ufffd\ufffd\u0013O+\ufffd;\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 N\u000fi\u043cwpP\ufffdD\ufffdM\ufffdD%5\u000b$'\ufffd.\r\ufffd\ufffd)G\u0007\ufffd\ufffdG\ufffd!",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdw\u0010\ufffd\u0003\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\u0010\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0003V!\ufffdx\u0017\ufffd\ufffd\ufffd+\ufffd\u000e1\ufffd\u0011\u0005\ufffd\ufffd\u0013O+\ufffd;\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c995de063000c423c0c493b0b275a1c790fbd311",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdw\u0010\ufffd\u0003\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\u0010\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0003V!\ufffdx\u0017\ufffd\ufffd\ufffd+\ufffd\u000e1\ufffd\u0011\u0005\ufffd\ufffd\u0013O+\ufffd;\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffdV!\ufffdx\ufffd\ufffd\ufffd+\ufffd1\ufffd\ufffd\ufffdO+\ufffd;\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdw\u0010\ufffd\u0003\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\u0010\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0003V!\ufffdx\u0017\ufffd\ufffd\ufffd+\ufffd\u000e1\ufffd\u0011\u0005\ufffd\ufffd\u0013O+\ufffd;\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\u03fc\u029f\ufffd\ufffd\ufffd\ufffd\ufffd\u7e52k\ufffd\ufffd\ufffdP=\ufffdt\ufffd\ufffd \ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffdV!\ufffdx\ufffd\ufffd\ufffd+\ufffd1\ufffd\ufffd\ufffdO+\ufffd;\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������v�h�P/ś }_���ed�p���j}?������ �q��u��-k��0�^cZ�[�zH��+py�?�:��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������v�h�P/ś }_���ed�p���j}?������ �q��u��-k��0�^cZ�[�zH��+py�?�:��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������v�h�P/ś }_���ed�p���j}?������ �q��u��-k��0�^cZ�[�zH��+py�?�:��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Z��>�����@��tI��L����l ��>��^
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.930791031604775,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7deaf738701a6e9ede4829bdb9245e3d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003v\ufffdh\u001bP\/\u015b\t}_\u001b\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\u001b\ufffd-k\ufffd\u00120\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003v\ufffdh\u001bP\/\u015b\t}_\u001b\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\u001b\ufffd-k\ufffd\u00120\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Z\ufffd\ufffd>\ufffd\ufffd\u0011\u000e\ufffd@\ufffd\uea3c\u0015tI\ufffd\ufffdL\ufffd\u000f\ufffd\ufffdl \ufffd\ufffd>\ufffd\ufffd^",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003v\ufffdh\u001bP\/\u015b\t}_\u001b\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\u001b\ufffd-k\ufffd\u00120\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "71805f83d1cd4bb645b30754cc0072300df1cfbc",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003v\ufffdh\u001bP\/\u015b\t}_\u001b\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\u001b\ufffd-k\ufffd\u00120\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdv\ufffdhP\/\u015b\t}_\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\ufffd-k\ufffd0\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003v\ufffdh\u001bP\/\u015b\t}_\u001b\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\u001b\ufffd-k\ufffd\u00120\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdv\ufffdhP\/\u015b\t}_\ufffd\ufffded\ufffdp\ufffd\ufffd\ufffdj}?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffdu\ufffd-k\ufffd0\ufffd^cZ\ufffd[\ufffdzH\ufffd\ufffd+py\ufffd?\ufffd:\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
������������q������(���8YO|Ň�0���D����"z$j *K��B-�����_83��o�� #��^-"f���%��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������q������(���8YO|�0���D����"z$j *K��B-�����_83��o��
#��^-"f���%��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������q������(���8YO|Ň�0���D����"z$j *K��B-�����_83��o�� #��^-"f���%��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��b����D����e��s�-��ɈT������H
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.885888103086531,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "36d254cedad53718ce44cd8789e4b09e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000eq\u001b\u0014\ufffd\u001c\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffd\u0013D\ufffd\ufffd\u0019\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\u0011\r#\ufffd\ufffd^-\"f\ufffd\u0018\ufffd%\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000eq\u001b\u0014\ufffd\u001c\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffd\u0013D\ufffd\ufffd\u0019\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\u0011\r#\ufffd\ufffd^-\"f\ufffd\u0018\ufffd%\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001ab\ufffd\ufffd\ufffd\ufffdD\ufffd\ufffd\ufffd\ufffde\ufffd\ufffds\ufffd-\ufffd\u0015\u0248T\u0015\ufffd\ufffd\ufffd\ufffd\u0005H",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000eq\u001b\u0014\ufffd\u001c\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffd\u0013D\ufffd\ufffd\u0019\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\u0011\r#\ufffd\ufffd^-\"f\ufffd\u0018\ufffd%\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e111160a649d26f72e74f2e3ed9ee4721642d5c8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000eq\u001b\u0014\ufffd\u001c\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffd\u0013D\ufffd\ufffd\u0019\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\u0011\r#\ufffd\ufffd^-\"f\ufffd\u0018\ufffd%\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdq\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffdD\ufffd\ufffd\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\r#\ufffd\ufffd^-\"f\ufffd\ufffd%\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000eq\u001b\u0014\ufffd\u001c\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffd\u0013D\ufffd\ufffd\u0019\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\u0011\r#\ufffd\ufffd^-\"f\ufffd\u0018\ufffd%\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdq\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd8YO|\u0147\ufffd0\ufffd\ufffdD\ufffd\ufffd\ufffd\"z$j *K\ufffd\ufffdB-\ufffd\ufffd\ufffd\ufffd\ufffd_83\ufffd\ufffdo\ufffd\r#\ufffd\ufffd^-\"f\ufffd\ufffd%\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������������z���R��䃇`�|�c���� ��`�Y �����������i�� ��r�:��MW�s�!��wC�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������������z���R��䃇`�|�c����
��`�Y �����������i�����r�:��MW�s�!��wC�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������������z���R��䃇`�|�c���� ��`�Y �����������i�� ��r�:��MW�s�!��wC�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��oe��i�S�'�L6��߾Ӏj��9 J�ך/�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.9125294082717215,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9ab75b2a2c2f87924027f9aab85ea65b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015\ufffd\ufffd\ufffd\ufffd\u0015z\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\u0018\ufffd`\u0011Y \u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\f\u001c\ufffdr\u0016:\ufffd\ufffdMW\ufffds\ufffd!\u000f\ufffdwC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015\ufffd\ufffd\ufffd\ufffd\u0015z\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\u0018\ufffd`\u0011Y \u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\f\u001c\ufffdr\u0016:\ufffd\ufffdMW\ufffds\ufffd!\u000f\ufffdwC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000b\ufffd\ufffdoe\ufffd\ufffdi\ufffdS\ufffd'\ufffdL6\u0016\ufffd\u07fe\u04c0j\ufffd\ufffd9\u000bJ\ufffd\u05da\/\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015\ufffd\ufffd\ufffd\ufffd\u0015z\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\u0018\ufffd`\u0011Y \u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\f\u001c\ufffdr\u0016:\ufffd\ufffdMW\ufffds\ufffd!\u000f\ufffdwC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "67683de211795e03fe9d6c52fde3b49a0e42200a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015\ufffd\ufffd\ufffd\ufffd\u0015z\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\u0018\ufffd`\u0011Y \u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\f\u001c\ufffdr\u0016:\ufffd\ufffdMW\ufffds\ufffd!\u000f\ufffdwC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\ufffd`Y \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffdr:\ufffd\ufffdMW\ufffds\ufffd!\ufffdwC&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015\ufffd\ufffd\ufffd\ufffd\u0015z\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\u0018\ufffd`\u0011Y \u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\f\u001c\ufffdr\u0016:\ufffd\ufffdMW\ufffds\ufffd!\u000f\ufffdwC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffdR\ufffd\ufffd\u40c7`\ufffd|\ufffdc\ufffd\ufffd\ufffd\ufffd\n\ufffd`Y \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffd\ufffdr:\ufffd\ufffdMW\ufffds\ufffd!\ufffdwC&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������3t���R�=��A/$�:���]�A��H���4�0 � �.��g�*P� [2it�o]���g����We��w���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������3t���R�=��A/$�:���]�A��H���4�0
� �.��g�*P��[2it�o]���g����We��w���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������3t���R�=��A/$�:���]�A��H���4�0 � �.��g�*P� [2it�o]���g����We��w���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���WN�Գl;U�ҏ���/�?S.�:>��KZ|16
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.872020664805197,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3f6ce2a2819dd2b19ba88d22cbfcd79b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd\u001d]\u0006A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd\u000b[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\u001c\ufffdw\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd\u001d]\u0006A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd\u000b[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\u001c\ufffdw\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0007\ufffd\u0003WN\ufffd\u0533l;U\ufffd\u048f\ufffd\u0002\ufffd\/\ufffd?S.\ufffd:>\ufffd\u001bKZ|16",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd\u001d]\u0006A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd\u000b[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\u001c\ufffdw\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f985512cc1c1b496b5ca9621ff953f480afe0fe6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd\u001d]\u0006A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd\u000b[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\u001c\ufffdw\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd3t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd]A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\ufffdw\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd\u001d]\u0006A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd\u000b[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\u001c\ufffdw\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd3t\ufffd\ufffd\ufffdR\ufffd=\ufffd\ufffdA\/$\ufffd:\ufffd\ufffd]A\ufffd\ufffdH\ufffd\ufffd\ufffd4\ufffd0\r\ufffd \ufffd.\ufffd\ufffdg\ufffd*P\ufffd[2it\ufffdo]\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffdWe\ufffdw\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
����������� (�:U8Uz� �Q��l�5��0tmy�I���k��* =���G��L�+�����c�I�=����a%��o:���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������
(�:U8Uz� �Q��l�5��0tmy�I���k��* =���G��L�+�����c�I�=����a%��o:���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� (�:U8Uz� �Q��l�5��0tmy�I���k��* =���G��L�+�����c�I�=����a%��o:���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� >��C��"�����f���%������ɣ[_����2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.8357690983326815,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5274154bdac92ae90e23d82fc839ee4b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r(\u0006:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\u000e\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffd\u001dG\u0002\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\u0017\ufffd\ufffd\ufffda%\u000e\ufffdo:\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r(\u0006:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\u000e\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffd\u001dG\u0002\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\u0017\ufffd\ufffd\ufffda%\u000e\ufffdo:\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 >\ufffd\ufffdC\ufffd\u0003\"\ufffd\ufffd\ufffd\ufffd\u0006f\ufffd\ufffd\ufffd%\ufffd\ufffd\ufffd\u0016\ufffd\ufffd\u0263[_\ufffd\ufffd\u0013\ufffd2",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r(\u0006:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\u000e\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffd\u001dG\u0002\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\u0017\ufffd\ufffd\ufffda%\u000e\ufffdo:\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "adbc39646c1c1c96146960a8345142d90732efa0",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r(\u0006:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\u000e\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffd\u001dG\u0002\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\u0017\ufffd\ufffd\ufffda%\u000e\ufffdo:\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\r(:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffdG\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\ufffd\ufffd\ufffda%\ufffdo:\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r(\u0006:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\u000e\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffd\u001dG\u0002\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\u0017\ufffd\ufffd\ufffda%\u000e\ufffdo:\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\r(:U8Uz\ufffd \ufffdQ\ufffd\ufffdl\ufffd5\ufffd0tmy\ufffdI\ufffd\ufffd\ufffdk\ufffd\ufffd* =\ufffd\ufffdG\ufffdL\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffdI\ufffd=\ufffd\ufffd\ufffda%\ufffdo:\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
������������ٶ $��Ӹϯ�sx-�7Y������1�Vo7/A �����N4zzk��o��&J�r,�sZgc�D�?����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������ٶ $��Ӹϯ�sx-�7Y������1�Vo7/A �����N4zzk��o��&J�r,�sZgc�D�?����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ٶ $��Ӹϯ�sx-�7Y������1�Vo7/A �����N4zzk��o��&J�r,�sZgc�D�?����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� }�;��[q���y��1�+���R�-�qqp��� ��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.8052010214332075,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3e253e3f04cc63d8172080db1e84b11a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd\u0014\u0005\u001c1\ufffdVo7\/A \u001a\u0017\ufffd\ufffd\ufffdN4zzk\ufffd\bo\ufffd\u0014&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd\u0014\u0005\u001c1\ufffdVo7\/A \u001a\u0017\ufffd\ufffd\ufffdN4zzk\ufffd\bo\ufffd\u0014&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 }\ufffd;\u0006\u0002[q\u0013\u0012\ufffdy\ufffd\ufffd1\ufffd+\ufffd\ufffd\ufffdR\u000e-\ufffdqqp\u0006\u0015\ufffd\u000b\ufffd\u001d",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd\u0014\u0005\u001c1\ufffdVo7\/A \u001a\u0017\ufffd\ufffd\ufffdN4zzk\ufffd\bo\ufffd\u0014&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "54090ebf70db9629b2175974de2a677ad74c2621",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd\u0014\u0005\u001c1\ufffdVo7\/A \u001a\u0017\ufffd\ufffd\ufffdN4zzk\ufffd\bo\ufffd\u0014&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd1\ufffdVo7\/A \ufffd\ufffd\ufffdN4zzk\ufffdo\ufffd&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd\u0014\u0005\u001c1\ufffdVo7\/A \u001a\u0017\ufffd\ufffd\ufffdN4zzk\ufffd\bo\ufffd\u0014&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd\u0006\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u0676\t$\ufffd\ufffd\u04f8\u03ef\ufffdsx-\ufffd7Y\ufffd\ufffd\ufffd1\ufffdVo7\/A \ufffd\ufffd\ufffdN4zzk\ufffdo\ufffd&J\ufffdr,\ufffdsZgc\ufffdD\ufffd?\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������������Y\�jU�D� w�?�`5����E���� 0�D˼� ��� �O��b6���)��� B��y%ku�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������������Y\�jU�D�
w�?�`5����E���� 0�D˼�
���
�O��b6���)����B��y%ku�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������������Y\�jU�D� w�?�`5����E���� 0�D˼� ��� �O��b6���)��� B��y%ku�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����'��"�7H|�]��w��iOk!Kg���HA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.85027884657948,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "56bce971cc5d53314281f42853f86cee",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000f\ufffd\ufffd\u0006\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?\u0000`5\ufffd\u0007\b\ufffdE\ufffd\u0012\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\u000bB\ufffd\ufffdy%ku\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000f\ufffd\ufffd\u0006\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?\u0000`5\ufffd\u0007\b\ufffdE\ufffd\u0012\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\u000bB\ufffd\ufffdy%ku\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd\"\ufffd7H|\ufffd]\ufffd\ufffdw\ufffd\ufffdiOk!Kg\ufffd\ufffd\ufffdHA\r",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000f\ufffd\ufffd\u0006\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?\u0000`5\ufffd\u0007\b\ufffdE\ufffd\u0012\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\u000bB\ufffd\ufffdy%ku\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "07211346a118398f429d6e93d0ed9b4c1f86af37",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000f\ufffd\ufffd\u0006\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?\u0000`5\ufffd\u0007\b\ufffdE\ufffd\u0012\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\u000bB\ufffd\ufffdy%ku\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?`5\ufffd\ufffdE\ufffd\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffdB\ufffd\ufffdy%ku&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000f\ufffd\ufffd\u0006\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?\u0000`5\ufffd\u0007\b\ufffdE\ufffd\u0012\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffd\u000bB\ufffd\ufffdy%ku\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdY\\\ufffdjU\ufffdD\ufffd\nw\ufffd?`5\ufffd\ufffdE\ufffd\ufffd\ufffd 0\ufffdD\u02fc\ufffd\n\ufffd\ufffd\ufffd\r\ufffdO\ufffd\ufffdb6\ufffd\ufffd\ufffd)\ufffd\ufffd\ufffdB\ufffd\ufffdy%ku&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
��������������[�)�ݳ� ���؈��p�3;�}��A�Y��� ����{rE��Zd�Gz_ �������ҫ$��ሼ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������[�)�ݳ�����؈��p�3;�}��A�Y��� ����{rE��Zd�Gz_ �������ҫ$��ሼ��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������[�)�ݳ� ���؈��p�3;�}��A�Y��� ����{rE��Zd�Gz_ �������ҫ$��ሼ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��\�\���/�*��)�fOZ$H��E�t �4�M�T
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.862174036289126,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f22578cb53d01097a24e7864063bc84f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\f\u0011\u0006\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\u001e\ufffd \ufffd\ufffd\ufffd\u0013{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\u0006\ufffd\u123c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\f\u0011\u0006\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\u001e\ufffd \ufffd\ufffd\ufffd\u0013{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\u0006\ufffd\u123c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0014\\\u0018\\\ufffd\ufffd\u0016\/\u001f*\ufffd\ufffd)\ufffdfOZ$H\ufffd\ufffdE\ufffdt\t\ufffd4\ufffdM\ufffdT",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\f\u0011\u0006\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\u001e\ufffd \ufffd\ufffd\ufffd\u0013{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\u0006\ufffd\u123c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7f9b93ea90109e287b1e8d59d4751a4f9901c961",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\f\u0011\u0006\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\u001e\ufffd \ufffd\ufffd\ufffd\u0013{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\u0006\ufffd\u123c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\ufffd \ufffd\ufffd\ufffd{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\ufffd\u123c\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\f\u0011\u0006\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\u001e\ufffd \ufffd\ufffd\ufffd\u0013{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\u0006\ufffd\u123c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd)\ufffd\u0773\ufffd\ufffd\u0608\ufffd\ufffdp\ufffd3;\ufffd}\ufffd\ufffdA\ufffdY\ufffd\ufffd \ufffd\ufffd\ufffd{rE\ufffd\ufffdZd\ufffdGz_\t\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u04ab$\ufffd\u123c\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�������������u������o��6�B>�����d.�B�}�.�� �Ce_��fX��0�l�^J{'�iu�P5=g�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������u������o��6�B>�����d.�B�}�.�� �Ce_��fX��0�l�^J{'�iu�P5=g�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������u������o��6�B>�����d.�B�}�.�� �Ce_��fX��0�l�^J{'�iu�P5=g�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��GR���y�$��7G��S.fjnI�$f��@h 1/
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.891097778809698,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "34c7f0e37625f52707bdadafcd9f1051",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffd\u000f\u0005\ufffd\ufffdo\u001e\ufffd6\ufffdB>\ufffd\ufffd\u0013\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\u000f\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffd\u000f\u0005\ufffd\ufffdo\u001e\ufffd6\ufffdB>\ufffd\ufffd\u0013\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\u000f\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0019\ufffdGR\u001c\u0015\ufffdy\ufffd$\ufffd\ufffd7G\ufffd\ufffdS.fjnI\ufffd$f\ufffd\ufffd@h\r1\/",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffd\u000f\u0005\ufffd\ufffdo\u001e\ufffd6\ufffdB>\ufffd\ufffd\u0013\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\u000f\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7eefb39cfe27a3f408a4157ef6e4a02647b9261f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffd\u000f\u0005\ufffd\ufffdo\u001e\ufffd6\ufffdB>\ufffd\ufffd\u0013\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\u000f\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffdo\ufffd6\ufffdB>\ufffd\ufffd\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffd\u000f\u0005\ufffd\ufffdo\u001e\ufffd6\ufffdB>\ufffd\ufffd\u0013\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\u000f\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffdo\ufffd6\ufffdB>\ufffd\ufffd\ufffd\ufffdd.\ufffdB\ufffd}\ufffd.\ufffd \ufffdCe_\ufffd\ufffdfX\ufffd\ufffd0\ufffdl\ufffd^J{'\ufffdiu\ufffdP5=g\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
������������,��x��\�&��o��ŭ��Uf����E���)�a �`��D �n�bƆ��v���+���Qs����ݨ ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������,��x��\�&��o��ŭ��Uf����E���)�a �`��D
�n�bƆ��v���+���Qs����ݨ
��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������,��x��\�&��o��ŭ��Uf����E���)�a �`��D �n�bƆ��v���+���Qs����ݨ ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���+2n(|�+�6�}?���H=q3g+��Y��Ӆ?
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.730503160332935,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe9f978735b2e324aa604965bf0e9734",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\u0002x\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u0005\u016d\ufffd\ufffdUf\u0011\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)\u000fa \ufffd`\u0006\ufffdD\r\ufffdn\u0007b\u0186\b\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\u0002x\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u0005\u016d\ufffd\ufffdUf\u0011\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)\u000fa \ufffd`\u0006\ufffdD\r\ufffdn\u0007b\u0186\b\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0018\ufffd+2n(|\ufffd+\u001d6\u0000}?\u0003\ufffd\ufffdH=q3g+\ufffd\ufffdY\ufffd\u0013\u04c5?",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\u0002x\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u0005\u016d\ufffd\ufffdUf\u0011\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)\u000fa \ufffd`\u0006\ufffdD\r\ufffdn\u0007b\u0186\b\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "af78d657f2396b05b4090a7937c37ea9bae3d250",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\u0002x\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u0005\u016d\ufffd\ufffdUf\u0011\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)\u000fa \ufffd`\u0006\ufffdD\r\ufffdn\u0007b\u0186\b\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd,\ufffdx\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u016d\ufffd\ufffdUf\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)a \ufffd`\ufffdD\r\ufffdnb\u0186\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\u0002x\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u0005\u016d\ufffd\ufffdUf\u0011\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)\u000fa \ufffd`\u0006\ufffdD\r\ufffdn\u0007b\u0186\b\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd,\ufffdx\ufffd\ufffd\\\ufffd&\ufffd\ufffdo\ufffd\u016d\ufffd\ufffdUf\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd)a \ufffd`\ufffdD\r\ufffdnb\u0186\ufffdv\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffdQs\ufffd\ufffd\ufffd\ufffd\u0768\n\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
������������O���T���(� `��.��5�r�.��4�%?�k" 툞�����>|T�3�wS�u h�˩-�R��+��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������O���T���(�
`��.��5�r�.��4�%?�k" 툞�����>|T�3�wS�u
h�˩-�R��+��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������O���T���(� `��.��5�r�.��4�%?�k" 툞�����>|T�3�wS�u h�˩-�R��+��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����W���x���t)JPecX�:+ )x`3g��H\
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.805968844630593,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "80a81340320361e120ff9ff855fa4c0a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001cO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd\u0014.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\u0014\ufffd\ufffd\ufffd\ufffd>|T\ufffd3\u001awS\u001au\nh\ufffd\u02e9-\u0016R\ufffd\ufffd+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001cO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd\u0014.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\u0014\ufffd\ufffd\ufffd\ufffd>|T\ufffd3\u001awS\u001au\nh\ufffd\u02e9-\u0016R\ufffd\ufffd+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0010W\ufffd\ufffd\ufffdx\ufffd\ufffd\u0000t)JPecX\ufffd:+\n)x`3g\ufffd\ufffdH\\",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001cO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd\u0014.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\u0014\ufffd\ufffd\ufffd\ufffd>|T\ufffd3\u001awS\u001au\nh\ufffd\u02e9-\u0016R\ufffd\ufffd+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9d4aa354f29ed942d409a8ab638459b5daf6cb4e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001cO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd\u0014.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\u0014\ufffd\ufffd\ufffd\ufffd>|T\ufffd3\u001awS\u001au\nh\ufffd\u02e9-\u0016R\ufffd\ufffd+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\ufffd\ufffd\ufffd\ufffd>|T\ufffd3wSu\nh\ufffd\u02e9-R\ufffd\ufffd+\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001cO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd\u0014.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\u0014\ufffd\ufffd\ufffd\ufffd>|T\ufffd3\u001awS\u001au\nh\ufffd\u02e9-\u0016R\ufffd\ufffd+\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdO\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd(\ufffd\r`\ufffd.\ufffd\ufffd5\ufffdr\ufffd.\ufffd\ufffd4\ufffd%?\ufffdk\" \ud21e\ufffd\ufffd\ufffd\ufffd>|T\ufffd3wSu\nh\ufffd\u02e9-R\ufffd\ufffd+\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
������������������?�`�q�o�:���TA�S��-�#Q��� ��LC�]��O�F/� ]@�Z�b-��*�C�Θ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������������?�`�q�o�:���TA�S��-�#Q��� ��LC�]��O�F/��]@�Z�b-��*�C�Θ�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������������?�`�q�o�:���TA�S��-�#Q��� ��LC�]��O�F/� ]@�Z�b-��*�C�Θ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��R�ǜtAN�!�?Q� ���ϛ&�d�������I
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.895321316290019,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "902cf2fdda75a6db60c536cd6b523e74",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\u0014?\u0019`\ufffdq\ufffdo\ufffd:\u001d\ufffd\ufffdTA\ufffdS\ufffd\ufffd-\u001c#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdO\u001cF\/\ufffd\u000b]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\u0014?\u0019`\ufffdq\ufffdo\ufffd:\u001d\ufffd\ufffdTA\ufffdS\ufffd\ufffd-\u001c#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdO\u001cF\/\ufffd\u000b]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdR\u0011\u01dctAN\ufffd!\u0003?Q\ufffd\u000b\u0003\ufffd\ufffd\u03db&\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdI",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\u0014?\u0019`\ufffdq\ufffdo\ufffd:\u001d\ufffd\ufffdTA\ufffdS\ufffd\ufffd-\u001c#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdO\u001cF\/\ufffd\u000b]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "80d2edc31d5054886c47d23762cabc077464fc8e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\u0014?\u0019`\ufffdq\ufffdo\ufffd:\u001d\ufffd\ufffdTA\ufffdS\ufffd\ufffd-\u001c#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdO\u001cF\/\ufffd\u000b]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?`\ufffdq\ufffdo\ufffd:\ufffd\ufffdTA\ufffdS\ufffd\ufffd-#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdOF\/\ufffd]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\u0014?\u0019`\ufffdq\ufffdo\ufffd:\u001d\ufffd\ufffdTA\ufffdS\ufffd\ufffd-\u001c#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdO\u001cF\/\ufffd\u000b]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?`\ufffdq\ufffdo\ufffd:\ufffd\ufffdTA\ufffdS\ufffd\ufffd-#Q\ufffd\ufffd\ufffd \ufffd\ufffdLC\ufffd]\ufffd\ufffdOF\/\ufffd]@\ufffdZ\ufffdb-\ufffd\ufffd*\ufffdC\ufffd\u0398\ueaa6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������NB�ԱL��%5�s��@���-�pSW��d�6;#� ����tP�ݚν�����+�K�*���t�,'{lo��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������NB�ԱL��%5�s��@���-�pSW��d�6;#� ����tP�ݚν�����+�K�*���t�,'{lo��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������NB�ԱL��%5�s��@���-�pSW��d�6;#� ����tP�ݚν�����+�K�*���t�,'{lo��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ٻ�I���!��5*������.���:��;�8 ��}
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.858804936010468,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "57fc1509686d70be78e1c3f4241d2664",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003NB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\u0011\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u001d\u075a\u03bd\ufffd\ufffd\u0003\u001e\u001a+\ufffdK\ufffd*\ufffd\ufffd\u001ct\ufffd,'{lo\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003NB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\u0011\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u001d\u075a\u03bd\ufffd\ufffd\u0003\u001e\u001a+\ufffdK\ufffd*\ufffd\ufffd\u001ct\ufffd,'{lo\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u067b\ufffdI\ufffd\u0012\ufffd!\ufffd\ufffd5*\u0012\ufffd\ufffd\ufffd\ufffd\ufffd.\ufffd\ufffd\u0005:\u0000\ufffd;\ufffd8\t\ufffd\ufffd}",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003NB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\u0011\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u001d\u075a\u03bd\ufffd\ufffd\u0003\u001e\u001a+\ufffdK\ufffd*\ufffd\ufffd\u001ct\ufffd,'{lo\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "068be93dce25c2f83e1104b42e1ebeb4142cd2c1",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003NB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\u0011\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u001d\u075a\u03bd\ufffd\ufffd\u0003\u001e\u001a+\ufffdK\ufffd*\ufffd\ufffd\u001ct\ufffd,'{lo\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdNB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u075a\u03bd\ufffd\ufffd+\ufffdK\ufffd*\ufffd\ufffdt\ufffd,'{lo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003NB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\u0011\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u001d\u075a\u03bd\ufffd\ufffd\u0003\u001e\u001a+\ufffdK\ufffd*\ufffd\ufffd\u001ct\ufffd,'{lo\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdNB\ufffd\u0531L\ufffd\ufffd%5\ufffds\ufffd\ufffd@\ufffd\ufffd-\ufffdpSW\ufffd\ufffdd\ufffd6;#\ufffd \ufffd\ufffd\ufffd\ufffdtP\u075a\u03bd\ufffd\ufffd+\ufffdK\ufffd*\ufffd\ufffdt\ufffd,'{lo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
����������� �{��\�C���NA�'��D`����yOf��w-� yQY���Le5��qT�^��h�x��� �%�lP1��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������{��\�C���NA�'��D`����yOf��w-� yQY���Le5��qT�^��h�x�����%�lP1��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� �{��\�C���NA�'��D`����yOf��w-� yQY���Le5��qT�^��h�x��� �%�lP1��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �Ga _@ALu���� �?R>��S][��W�XɗN
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.884919846371444,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "74478e46147184f945c4d62e749de941",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000b\ufffd{\ufffd\u0012\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffd\u0013D`\u0015\ufffd\ufffd\u0010yOf\ufffd\ufffdw-\u0001 yQY\u0005\ufffd\ufffdLe5\ufffd\u0012qT\ufffd^\ufffd\ufffdh\u001dx\ufffd\ufffd\ufffd\u000b\ufffd%\u0017lP1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000b\ufffd{\ufffd\u0012\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffd\u0013D`\u0015\ufffd\ufffd\u0010yOf\ufffd\ufffdw-\u0001 yQY\u0005\ufffd\ufffdLe5\ufffd\u0012qT\ufffd^\ufffd\ufffdh\u001dx\ufffd\ufffd\ufffd\u000b\ufffd%\u0017lP1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdGa\u000b_@ALu\ufffd\ufffd\ufffd\ufffd \b?R>\u001a\ufffdS][\ufffd\ufffdW\ufffdX\u0257N",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000b\ufffd{\ufffd\u0012\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffd\u0013D`\u0015\ufffd\ufffd\u0010yOf\ufffd\ufffdw-\u0001 yQY\u0005\ufffd\ufffdLe5\ufffd\u0012qT\ufffd^\ufffd\ufffdh\u001dx\ufffd\ufffd\ufffd\u000b\ufffd%\u0017lP1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1e885b61fd0076813b04697153967d34284a8c59",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000b\ufffd{\ufffd\u0012\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffd\u0013D`\u0015\ufffd\ufffd\u0010yOf\ufffd\ufffdw-\u0001 yQY\u0005\ufffd\ufffdLe5\ufffd\u0012qT\ufffd^\ufffd\ufffdh\u001dx\ufffd\ufffd\ufffd\u000b\ufffd%\u0017lP1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd{\ufffd\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffdD`\ufffd\ufffdyOf\ufffd\ufffdw- yQY\ufffd\ufffdLe5\ufffdqT\ufffd^\ufffd\ufffdhx\ufffd\ufffd\ufffd\ufffd%lP1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000b\ufffd{\ufffd\u0012\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffd\u0013D`\u0015\ufffd\ufffd\u0010yOf\ufffd\ufffdw-\u0001 yQY\u0005\ufffd\ufffdLe5\ufffd\u0012qT\ufffd^\ufffd\ufffdh\u001dx\ufffd\ufffd\ufffd\u000b\ufffd%\u0017lP1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd{\ufffd\\\ufffdC\ufffd\ufffd\ufffdNA\ufffd'\ufffdD`\ufffd\ufffdyOf\ufffd\ufffdw- yQY\ufffd\ufffdLe5\ufffdqT\ufffd^\ufffd\ufffdhx\ufffd\ufffd\ufffd\ufffd%lP1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������;�sǩ�IN����d�((�j�����R�;��KgI� jm�����M���`�-���) �[���r`�: �&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������;�sǩ�IN����d�((�j�����R�;��KgI� jm�����M���`�-���)��[���r`�:��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������;�sǩ�IN����d�((�j�����R�;��KgI� jm�����M���`�-���) �[���r`�: �&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ]��V:!p ���olj�]6V?a�݆�uΏ�"��q
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.878184948988858,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1aea8ce73cc13097cc7e9daced6855e3",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\u000fs\u01e9\ufffdIN\ufffd\ufffd\u0011\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u001e\u05ce\u001eM\u0001\ufffd\ufffd`\ufffd-\ufffd\u000f\u0005)\f\ufffd[\ufffd\ufffd\ufffdr`\ufffd:\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\u000fs\u01e9\ufffdIN\ufffd\ufffd\u0011\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u001e\u05ce\u001eM\u0001\ufffd\ufffd`\ufffd-\ufffd\u000f\u0005)\f\ufffd[\ufffd\ufffd\ufffdr`\ufffd:\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ]\ufffd\u0013V:!p\r\ufffd\u001c\ufffdo\u01c9\ufffd]6V?a\u0018\u0746\ufffdu\u038f\ufffd\"\ufffd\u000fq",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\u000fs\u01e9\ufffdIN\ufffd\ufffd\u0011\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u001e\u05ce\u001eM\u0001\ufffd\ufffd`\ufffd-\ufffd\u000f\u0005)\f\ufffd[\ufffd\ufffd\ufffdr`\ufffd:\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2c0b387f87d90e5c9dfc05aee6a6f8a2cf0cb8e4",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\u000fs\u01e9\ufffdIN\ufffd\ufffd\u0011\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u001e\u05ce\u001eM\u0001\ufffd\ufffd`\ufffd-\ufffd\u000f\u0005)\f\ufffd[\ufffd\ufffd\ufffdr`\ufffd:\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd;s\u01e9\ufffdIN\ufffd\ufffd\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u05ceM\ufffd\ufffd`\ufffd-\ufffd)\ufffd[\ufffd\ufffd\ufffdr`\ufffd:&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\u000fs\u01e9\ufffdIN\ufffd\ufffd\u0011\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u001e\u05ce\u001eM\u0001\ufffd\ufffd`\ufffd-\ufffd\u000f\u0005)\f\ufffd[\ufffd\ufffd\ufffdr`\ufffd:\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd;s\u01e9\ufffdIN\ufffd\ufffd\ufffdd\ufffd((\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd;\ufffd\ufffdKgI\ufffd jm\ufffd\ufffd\ufffd\u05ceM\ufffd\ufffd`\ufffd-\ufffd)\ufffd[\ufffd\ufffd\ufffdr`\ufffd:&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
������������pt9bކ���b�6i��r���6ў���<s���� G:�Ȁ�ǃ&]�SN�Y�#_�φ� ��G�o�h��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������pt9bކ���b�6i��r���6ў���<s���� G:�Ȁ�ǃ&]�SN�Y�#_�φ� ��G�o�h��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������pt9bކ���b�6i��r���6ў���<s���� G:�Ȁ�ǃ&]�SN�Y�#_�φ� ��G�o�h��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� B�*M� � dZ��.���ڂ�����v�Bnl/%�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.908669874793885,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3c7a1f9a5e543442873118a28f863571",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018pt9b\u0786\ufffd\u0012\ufffdb\b6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u001a\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018pt9b\u0786\ufffd\u0012\ufffdb\b6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u001a\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 B\ufffd*M\ufffd\r\ufffd\rdZ\ufffd\ufffd.\ufffd\ufffd\ufffd\u0682\ufffd\ufffd\ufffd\ufffd\ufffdv\ufffdBnl\/%\b",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018pt9b\u0786\ufffd\u0012\ufffdb\b6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u001a\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "54cd54d3d8f069fae8922253b5383d8449c839d6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018pt9b\u0786\ufffd\u0012\ufffdb\b6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u001a\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdpt9b\u0786\ufffd\ufffdb6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018pt9b\u0786\ufffd\u0012\ufffdb\b6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u001a\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdpt9b\u0786\ufffd\ufffdb6i\ufffd\ufffdr\ufffd\ufffd\ufffd6\u045e\ufffd\ufffd\ufffd<s\ufffd\ufffd\ufffd\ufffd G:\ufffd\u0200\u01c3&]\ufffdSN\ufffdY\ufffd#_\ufffd\u03c6\ufffd \ufffd\ufffdG\ufffdo\ufffdh\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������R�W/+�+>���qB�R��� �n0s39� ~W k��!e�����c]fx����)E����"E���JV�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������R�W/+�+>���qB�R�����n0s39�
~W k��!e�����c]fx����)E����"E���JV�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������R�W/+�+>���qB�R��� �n0s39� ~W k��!e�����c]fx����)E����"E���JV�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��ͯ������Y��ɉ���]����f����� 2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.764478689982502,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6a4c27782864f19001ffe9102c9147e9",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\u0015W\/+\ufffd+>\u0012\ufffd\u0005qB\ufffdR\ufffd\ufffd\ufffd\f\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd\b)E\ufffd\ufffd\u0014\ufffd\"E\ufffd\u0015\u0002JV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\u0015W\/+\ufffd+>\u0012\ufffd\u0005qB\ufffdR\ufffd\ufffd\ufffd\f\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd\b)E\ufffd\ufffd\u0014\ufffd\"E\ufffd\u0015\u0002JV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u036f\ufffd\ufffd\ufffd\u001e\ufffd\ufffdY\ufffd\u000f\u0249\ufffd\ufffd\ufffd]\ufffd\ufffd\ufffd\ufffdf\u0000\ufffd\ufffd\ufffd\ufffd\f2",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\u0015W\/+\ufffd+>\u0012\ufffd\u0005qB\ufffdR\ufffd\ufffd\ufffd\f\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd\b)E\ufffd\ufffd\u0014\ufffd\"E\ufffd\u0015\u0002JV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "022ec4c6bbe25c9b11eb8d7505cc362ed1cf02b1",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\u0015W\/+\ufffd+>\u0012\ufffd\u0005qB\ufffdR\ufffd\ufffd\ufffd\f\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd\b)E\ufffd\ufffd\u0014\ufffd\"E\ufffd\u0015\u0002JV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdRW\/+\ufffd+>\ufffdqB\ufffdR\ufffd\ufffd\ufffd\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd)E\ufffd\ufffd\ufffd\"E\ufffdJV&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\u0015W\/+\ufffd+>\u0012\ufffd\u0005qB\ufffdR\ufffd\ufffd\ufffd\f\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd\b)E\ufffd\ufffd\u0014\ufffd\"E\ufffd\u0015\u0002JV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdRW\/+\ufffd+>\ufffdqB\ufffdR\ufffd\ufffd\ufffd\ufffdn\u008b0s39\ufffd\r~W k\ufffd\ufffd!e\ufffd\ufffd\ufffd\ufffd\ufffdc]fx\ufffd\ufffd\ufffd)E\ufffd\ufffd\ufffd\"E\ufffdJV&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
��������������>��[ ��)���v65ۃ��>�K�&�� ��S k(�0�8�tβ�.^��Շ�0���ם�� y�a��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������>��[
��)���v65ۃ��>�K�&�� ��S k(�0�8�tβ�.^��Շ�0���ם�� y�a��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������>��[ ��)���v65ۃ��>�K�&�� ��S k(�0�8�tβ�.^��Շ�0���ם�� y�a��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� zS�&|�u&�I���d�R�#����E�@�@���d
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.810331527813968,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "34990f711b3d594c86878565aa9bcd72",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\b>\ufffd\u0016[\n\ufffd\ufffd)\u0012\ufffd\ufffdv65\u06c3\ufffd\ufffd>\u0004K\ufffd&\ufffd\u0006\t\ufffd\ufffdS k(\u00170\u001f8\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u0012\u05dd\ufffd\ufffd\ty\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\b>\ufffd\u0016[\n\ufffd\ufffd)\u0012\ufffd\ufffdv65\u06c3\ufffd\ufffd>\u0004K\ufffd&\ufffd\u0006\t\ufffd\ufffdS k(\u00170\u001f8\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u0012\u05dd\ufffd\ufffd\ty\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 zS\ufffd&|\ufffdu&\ufffdI\u0012\ufffd\ufffdd\u0019R\ufffd#\ufffd\ufffd\ufffd\ufffdE\ufffd@\ufffd@\ufffd\ufffd\ufffdd",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\b>\ufffd\u0016[\n\ufffd\ufffd)\u0012\ufffd\ufffdv65\u06c3\ufffd\ufffd>\u0004K\ufffd&\ufffd\u0006\t\ufffd\ufffdS k(\u00170\u001f8\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u0012\u05dd\ufffd\ufffd\ty\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "845ed3b7e42611ee4f60cf26a43259375bd435d7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\b>\ufffd\u0016[\n\ufffd\ufffd)\u0012\ufffd\ufffdv65\u06c3\ufffd\ufffd>\u0004K\ufffd&\ufffd\u0006\t\ufffd\ufffdS k(\u00170\u001f8\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u0012\u05dd\ufffd\ufffd\ty\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd>\ufffd[\n\ufffd\ufffd)\ufffd\ufffdv65\u06c3\ufffd\ufffd>K\ufffd&\ufffd\t\ufffd\ufffdS k(08\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u05dd\ufffd\ufffd\ty\ufffda\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\b>\ufffd\u0016[\n\ufffd\ufffd)\u0012\ufffd\ufffdv65\u06c3\ufffd\ufffd>\u0004K\ufffd&\ufffd\u0006\t\ufffd\ufffdS k(\u00170\u001f8\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u0012\u05dd\ufffd\ufffd\ty\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd>\ufffd[\n\ufffd\ufffd)\ufffd\ufffdv65\u06c3\ufffd\ufffd>K\ufffd&\ufffd\t\ufffd\ufffdS k(08\ufffdt\u03b2\ufffd.^\ufffd\ufffd\u0547\ufffd0\ufffd\ufffd\u05dd\ufffd\ufffd\ty\ufffda\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
14/06/2026 14:06:04 UTC
TCP
9002 · MINIO CONSOLE
Sonde PostgreSQL
postgres probe · via MINIO CONSOLE:9002 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
MINIO-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9002
Chemin / cible
—
Service
MINIO CONSOLE
Payload
�����������b����i��o9�G\S�������0s>���`��?� ��?��65��2� r�VBO�4�.&�t�%�q�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������b����i��o9�G\S�������0s>���`��?� ��?��65��2� r�VBO�4�.&�t�%�q�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������b����i��o9�G\S�������0s>���`��?� ��?��65��2� r�VBO�4�.&�t�%�q�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� :�Հsx��P]9��j[�b�4��1N������h0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.823111795230258,
"port_category": "registered",
"org": "Google LLC",
"service": "minio-console",
"app_proto": "minio-console",
"asn": 396982,
"country": "BR",
"dst_port": 9002,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "e9a58bd6e2307d4ac1ae277602ddaeae0a42d762",
"event_fingerprint": "b6934a8f5faeb2f67f99a7dbc0ecf0db1c31e783",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "minio-console",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BR",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6970fa3b37c951dbf515d811dea610b2",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9002,
"service": "minio-console",
"service_name": "minio-console",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003b\ufffd\ufffd\ufffd\ufffdi\u0011\ufffdo9\u0003G\\S\ufffd\ufffd\ufffd\u0006\u0017\u0017\u00020s>\ufffd\b\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2\u001d r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\u0014\ufffd\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003b\ufffd\ufffd\ufffd\ufffdi\u0011\ufffdo9\u0003G\\S\ufffd\ufffd\ufffd\u0006\u0017\u0017\u00020s>\ufffd\b\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2\u001d r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\u0014\ufffd\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 :\ufffd\u0540sx\ufffd\ufffdP]9\ufffd\ufffdj[\ufffdb\u00114\ufffd\ufffd1N\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh0",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003b\ufffd\ufffd\ufffd\ufffdi\u0011\ufffdo9\u0003G\\S\ufffd\ufffd\ufffd\u0006\u0017\u0017\u00020s>\ufffd\b\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2\u001d r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\u0014\ufffd\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cb6c9ba6506cd57b9878fda8454277365aa12610",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003b\ufffd\ufffd\ufffd\ufffdi\u0011\ufffdo9\u0003G\\S\ufffd\ufffd\ufffd\u0006\u0017\u0017\u00020s>\ufffd\b\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2\u001d r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\u0014\ufffd\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"evidence_snippet": "\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffdi\ufffdo9G\\S\ufffd\ufffd\ufffd0s>\ufffd\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2 r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "minio-console",
"service_label_fr": "MINIO CONSOLE",
"dst_port": 9002,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-minio-console",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003b\ufffd\ufffd\ufffd\ufffdi\u0011\ufffdo9\u0003G\\S\ufffd\ufffd\ufffd\u0006\u0017\u0017\u00020s>\ufffd\b\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2\u001d r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\u0014\ufffd\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9002,
"service": "minio-console",
"service_label_fr": "MINIO CONSOLE"
},
"attack_vector": "postgres probe \u00b7 via MINIO CONSOLE:9002 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffdi\ufffdo9G\\S\ufffd\ufffd\ufffd0s>\ufffd\ufffd`\ufffd\ufffd?\ufffd \ufffd\ufffd?\ufffd\ufffd65\ufffd\ufffd2 r\ufffdVBO\ufffd4\ufffd.&\ufffdt\ufffd%\ufffdq\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9002 \u00b7 MINIO CONSOLE",
"emulator_service": "minio-console",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "minio_console",
"service_banner": "honeypot-minio-console",
"service_os": "linux",
"dst_port": "9002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}