Détails IP 34.156.129.15

Synthèse exécutive

Profil de menace

Score de risque 49/100 Moyen

Première observation 17/06/2026 03:13 UTC

Dernière observation 17/06/2026 03:14 UTC

Événements (période) 29

MITRE ATT&CK principal TA0007 26 occurrences

Activité suspecte · risque 42/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Rafale d'authentification SSH · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 34.156.128.0/17 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 29 événements sur la période pour cette IP.

35.240.7.28 imap bruteforce 17/06/2026 06:09 UTC
35.187.13.22 Tentative d'exploit 17/06/2026 06:08 UTC
147.185.132.94 Sonde PostgreSQL 17/06/2026 06:07 UTC
35.195.153.25 Sonde port 23/TCP 17/06/2026 06:06 UTC
34.53.219.202 Sonde port 23/TCP 17/06/2026 06:05 UTC
147.185.132.103 Scanner web 17/06/2026 06:03 UTC
162.216.149.244 Scanner web 17/06/2026 06:02 UTC
147.185.132.49 Sonde PostgreSQL 17/06/2026 06:00 UTC

Événements (filtres)

Première observation

17/06/2026 03:13 UTC

Dernière observation

17/06/2026 03:14 UTC

Dernière activité (filtres)

17/06/2026 03:14 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Belgique unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 110 port_110_tcp

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

rtsp probe · via POP3:110 · (sonde / probe)

Détails protocole

POP3: Sonde protocole POP3 (USER/PASS)

Aperçu payload

OPTIONS rtsp://example.com RTSP/1.0 Cseq: 5429

Port / service

110 · POP3

Service émulé

POP3

Raison confiance

Confiance 49 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0382

Confiance

49% Confiance modérée — signal unique

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

29 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

29 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 03:14:21 UTC	TCP	110 · POP3	pop3	mqtt probe mqtt probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags mqtt_connect net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload MQTT<AAAAA Pourquoi cette classification : Rafale d'authentification SSH · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0373 pat-0615 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MQTT protocol MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTT<AAAAA Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 20, "payload_entropy": 3.1414460711655217, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 49, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b136edc38db83ad57b9c90e3e1a9bebf4c8023ca", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0373", "pat-0615" ], "kb_rule_ids": [ "pat-0373", "pat-0615" ], "matched_patterns": [ "pat-0373", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0615", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 97, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cbaa0e25147458ba5f5f0e8603c4f19", "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 49 }, "payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "evidence": { "request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6ebe6b68ac93c4c76ff0a6ba95c312b62e2bfb2", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "MQTT<AAAAA", "attack_vector": "mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0373", "pat-0615" ], "tags_summary_labels_fr": [ "pat-0373", "pat-0615" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "MQTT<AAAAA", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_connect", "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:21 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload @RSYTCD: 29 Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) @RSYTCD: 29 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 12, "payload_entropy": 3.584962500721156, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b2993d6e4414a846683a71de5eb18653", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "@RSYTCD: 29\n", "request_sample": "@RSYTCD: 29\n", "payload_snippet": "@RSYTCD: 29", "evidence": { "request_sample": "@RSYTCD: 29\n", "payload_snippet": "@RSYTCD: 29", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "63b0b68cba582f45642d56cbfa05d0c5ae80cf67", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "@RSYTCD: 29", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "@RSYTCD: 29", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "@RSYTCD: 29", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "@RSYTCD: 29", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:21 UTC	TCP	110 · POP3	pop3	oracle tns probe oracle tns probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload �<,��:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123 Pourquoi cette classification : Rafale d'authentification SSH · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0520 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Oracle TNS connect STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �<,��:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123 Requête brute (extrait) �<,��:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110))) Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 239, "payload_entropy": 5.127911658718781, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0520" ], "kb_rule_ids": [ "pat-0520" ], "matched_patterns": [ "pat-0520", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Oracle TNS connect", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0520", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 47, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a4128a3063c2666570c280a6e2b7f6cc", "path_pattern_hash": "420e91c120535c16728a9791d446fafc" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 45 }, "payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110)))", "payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "evidence": { "request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=110)))", "payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a54d5a1c2ee43864b18a645884d3e25fa4459efd", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "attack_vector": "oracle tns probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0520" ], "tags_summary_labels_fr": [ "pat-0520" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "oracle tns probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:21 UTC	TCP	110 · POP3	pop3	Protocole TDS MSSQL mssql tds · via POP3:110 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated postgres_startup Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8 Pourquoi cette classification : Rafale d'authentification SSH · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0356 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header MSSQL TDS prelogin ET H.323 setup Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 84, "payload_entropy": 4.139167728978457, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 32, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4dd39330461cf3ca280bcc759d61ab53bea1d9cf", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0356" ], "kb_rule_ids": [ "pat-0356" ], "matched_patterns": [ "pat-0348", "pat-0356", "pat-0868", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "MSSQL TDS prelogin", "ET H.323 setup", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0356", "pat-0868", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "94e606a42613d0ef095b8001a98bf6ed", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 32 }, "payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "65e11fe15496fe5b89191251935d92a003bc42d7", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8", "attack_vector": "mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0356" ], "tags_summary_labels_fr": [ "pat-0356" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated", "postgres_startup", "postgresql_probe" ], "asn_dc_heuristic": true }
17/06/2026 03:14:21 UTC	TCP	110 · POP3	pop3	Sonde RTSP rtsp probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload OPTIONS rtsp://example.com RTSP/1.0 Cseq: 5429 Pourquoi cette classification : Rafale d'authentification SSH · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass RTSP protocol HTTP OPTIONS method User-Agent — Règles WAF — Payload (extrait) OPTIONS rtsp://example.com RTSP/1.0 Cseq: 5429 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 51, "payload_entropy": 4.853318724112334, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0382" ], "kb_rule_ids": [ "pat-0382" ], "matched_patterns": [ "pat-0103", "pat-0382", "pat-0420" ], "matched_pattern_names": [ "LFI Double-dot bypass", "RTSP protocol", "HTTP OPTIONS method" ], "pattern_ids": [ "pat-0103", "pat-0382", "pat-0420" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bebcedcda52aaf113050cccd8439bfe3", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 42 }, "payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429\r\n\r\n", "request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429\r\n\r\n", "payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429", "evidence": { "request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429\r\n\r\n", "payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e18472a956b4b0281e76f3b53bf74c05742c357e", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429", "attack_vector": "rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0382" ], "tags_summary_labels_fr": [ "pat-0382" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "rtsp probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 5429", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	Sonde POP3 pop3 probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags mongodb_probe net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload �(r��\| Pourquoi cette classification : Rafale d'authentification SSH · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0532 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �(r��\| Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 44, "payload_entropy": 1.9235205817738175, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4c2d8e4d9abc622803b6e39b98ef2b0304719c2c", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0532" ], "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "pop3", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2a177602bee0d039f41fbd6da5240e04", "path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 45 }, "payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a83a1636a54f9274129009ed123c16cb591d9f5", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd\|", "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0532" ], "tags_summary_labels_fr": [ "pat-0532" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd\|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd\|", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_probe", "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	Sonde POP3 pop3 probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload f�SMB@$333333333333337 Pourquoi cette classification : Rafale d'authentification SSH · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0532 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) f�SMB@$333333333333337 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 106, "payload_entropy": 1.562219115128654, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0532" ], "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "pop3", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c410cf23b3d85ec98026baf9f8231d24", "path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 45 }, "payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "evidence": { "request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a66710b35c95baa8a3687875225bf263195e65b7", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "f\ufffdSMB@$333333333333337", "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0532" ], "tags_summary_labels_fr": [ "pat-0532" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "f\ufffdSMB@$333333333333337", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	Sonde POP3 pop3 probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload �� Pourquoi cette classification : Rafale d'authentification SSH · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 12, "payload_entropy": 2.125814583693911, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "pop3", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "378caa881e4803639c9c14dec49838ca", "path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 45 }, "payload_preview": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "request_sample": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de7c7998d045fc15838e8b5675c17994916b0e37", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "\ufffd\ufffd", "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\ufffd\ufffd\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload 1 $4 PING Pourquoi cette classification :* Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Redis PING RESP User-Agent — Règles WAF — Payload (extrait) 1 $4 PING Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 14, "payload_entropy": 3.128085278891395, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0414" ], "matched_pattern_names": [ "Redis PING RESP" ], "pattern_ids": [ "pat-0414" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a43cb6a3b9d261112714d00e36b33106", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "1\r\n$4\r\nPING\r\n", "request_sample": "1\r\n$4\r\nPING\r\n", "payload_snippet": "1\r\n$4\r\nPING", "evidence": { "request_sample": "1\r\n$4\r\nPING\r\n", "payload_snippet": "1\r\n$4\r\nPING", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b91035ab300bb1c257fb87be22dc1836100b139", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "1\r\n$4\r\nPING", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "1\r\n$4\r\nPING", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "1\r\n$4\r\nPING", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "1\r\n$4\r\nPING", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	mqtt probe mqtt probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags mqtt_connect net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload MQTT<AAAAA Pourquoi cette classification : Rafale d'authentification SSH · confiance 97% Confiance classification 97% Risque capteur Moyen · 49 Confiance : Confiance 97 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0373 pat-0615 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MQTT protocol MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTT<AAAAA Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 19, "payload_entropy": 3.281373409411991, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 49, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b136edc38db83ad57b9c90e3e1a9bebf4c8023ca", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0373", "pat-0615" ], "kb_rule_ids": [ "pat-0373", "pat-0615" ], "matched_patterns": [ "pat-0373", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0615", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 97, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "146feb4208f989935534a353df60ec62", "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 49 }, "payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "evidence": { "request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8e6f109176798254c40497eddfe2b82130606e1b", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "MQTT<AAAAA", "attack_vector": "mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 97%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 97%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 97, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0373", "pat-0615" ], "tags_summary_labels_fr": [ "pat-0373", "pat-0615" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "mqtt probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "MQTT<AAAAA", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_connect", "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload JDWP-Handshake Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) JDWP-Handshake Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 14, "payload_entropy": 3.6644977792004623, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d7cf99dd7541d7bd514fc0d9a1b2d531", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "JDWP-Handshake", "request_sample": "JDWP-Handshake", "payload_snippet": "JDWP-Handshake", "evidence": { "request_sample": "JDWP-Handshake", "payload_snippet": "JDWP-Handshake", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa580366a7cbe6c34adf288a5126d96d893a6f89", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "JDWP-Handshake", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "JDWP-Handshake", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "JDWP-Handshake", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "JDWP-Handshake", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:20 UTC	TCP	110 · POP3	pop3	Sonde Java RMI java rmi probe · via POP3:110 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload JRMIK Pourquoi cette classification : Rafale d'authentification SSH · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0604 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Java RMI JRMI User-Agent — Règles WAF — Payload (extrait) JRMIK Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 7, "payload_entropy": 2.807354922057604, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 32, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0604" ], "kb_rule_ids": [ "pat-0604" ], "matched_patterns": [ "pat-0604" ], "matched_pattern_names": [ "Java RMI JRMI" ], "pattern_ids": [ "pat-0604" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d8c49a0f759e2102fb8fa8368049d06a", "path_pattern_hash": "7a566ca86213ccd15a91c0b5a885a24f" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 32 }, "payload_preview": "JRMI\u0000\u0002K", "request_sample": "JRMI\u0000\u0002K", "payload_snippet": "JRMI\u0000\u0002K", "evidence": { "request_sample": "JRMI\u0000\u0002K", "payload_snippet": "JRMI\u0000\u0002K", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46bef58c2a08881249be93277bf3090a6a7f6ada", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "JRMI\u0000\u0002K", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "JRMIK", "attack_vector": "java rmi probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0604" ], "tags_summary_labels_fr": [ "pat-0604" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "JRMI\u0000\u0002K", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "java rmi probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "JRMIK", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:17 UTC	TCP	110 · POP3	pop3	Sonde Kafka kafka probe · via POP3:110 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload C3�consumer-Offset Explorer 2.2-18apache-kafka-java2.4.0 Pourquoi cette classification : Rafale d'authentification SSH · confiance 47% Confiance classification 47% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 47 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0556 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Kafka ApiVersions key Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) C3�consumer-Offset Explorer 2.2-18apache-kafka-java2.4.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 71, "payload_entropy": 4.83906190787142, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 32, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0556" ], "kb_rule_ids": [ "pat-0556" ], "matched_patterns": [ "pat-0556", "pat-0554" ], "matched_pattern_names": [ "Kafka ApiVersions key", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0556", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 47, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d9bcc621186ef441cc445f2b3dbd5f10", "path_pattern_hash": "369bfdf011acc5969bcb68a7ffd2ca13" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 32 }, "payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "620ed84601441313cce112870e8e7314fa819d11", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0", "attack_vector": "kafka probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 47%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 47%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 47, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0556" ], "tags_summary_labels_fr": [ "pat-0556" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "kafka probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
17/06/2026 03:14:17 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated postgres_startup Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload #3� adminclient-5FIMWWP Pourquoi cette classification : Rafale d'authentification SSH · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) #3� adminclient-5FIMWWP Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 39, "payload_entropy": 4.155818941810701, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4dd39330461cf3ca280bcc759d61ab53bea1d9cf", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9517f8e75a4457c35f2677adf23003c9", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 40 }, "payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "evidence": { "request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9ed299feea4a8cebae0477b5d094681ba4407d68", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "#3\ufffd\radminclient-5FIMWWP", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006FIMWWP", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "#3\ufffd\radminclient-5FIMWWP", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated", "postgres_startup", "postgresql_probe" ], "asn_dc_heuristic": true }
17/06/2026 03:14:17 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d82a6eb2523f8353402da03eb253964f349b05c", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:14 UTC	TCP	110 · POP3	pop3	Protocole TDS MSSQL mssql tds · via POP3:110 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags mssql_tds net_bruteforce_burst net_mssql_tds pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload X%&'+,$� ��\�k�٪<K�{�\2!$��7�b9JF,� Pourquoi cette classification : Rafale d'authentification SSH · confiance 95% Confiance classification 95% Risque capteur Faible · 35 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0519 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Mumble ping STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) X%&'+,$� ��\�k�٪<K�{�\2!$��7�b9JF,� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 88, "payload_entropy": 4.354527413223707, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "726ed118df54a678eb75d34ceb20ad5e79cd827a", "event_fingerprint": "9220bac2adc3c594b4910f2407683c9d020ff636", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Mumble ping", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0efe38694fbb4cc2af819186b5e9ae9e", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 35 }, "payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8961e485cb0c90823478f1c8591dced50c06a619", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd", "attack_vector": "mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 95%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0519", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0519", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "mssql tds \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_tds", "net_bruteforce_burst", "net_mssql_tds", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:14 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload 0:[��`2cn=rqahgufzjhkhmfagelpi�rqahgufzjhkhmfagelpi Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 0:[��`2cn=rqahgufzjhkhmfagelpi�rqahgufzjhkhmfagelpi Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 60, "payload_entropy": 4.815061012203069, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "07bc7b65a35cdf66659a25e9dcfd661c", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "request_sample": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "payload_snippet": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "evidence": { "request_sample": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "payload_snippet": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa8c76c3292e34bfb09d22aa908aefab06867a09", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "0:[\ufffd\ufffd\ufffd`2cn=rqahgufzjhkhmfagelpi\ufffdrqahgufzjhkhmfagelpi", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "0:\u0002\u0004[\ufffd\ufffd\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=rqahgufzjhkhmfagelpi\ufffd\u0014rqahgufzjhkhmfagelpi", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "0:[\ufffd\ufffd\ufffd`2cn=rqahgufzjhkhmfagelpi\ufffdrqahgufzjhkhmfagelpi", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:11 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d82a6eb2523f8353402da03eb253964f349b05c", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:08 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload � Pourquoi cette classification : Rafale d'authentification SSH · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 38 Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux pat-0348 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 19, "payload_entropy": 1.983740670882855, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7ba0cba937b3e4ab417fce5fba4756814d5d31b4", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0003c8efa0acdc0c6540f4bdb920f6bc", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfe2ae4a0787b638c4d6681b90512950d876f990", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "\ufffd", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 49%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0348" ], "tags_summary_labels_fr": [ "pat-0348" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:08 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload Not a command Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Not a command Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 16, "payload_entropy": 3.327819531114783, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad32b372bf9a8e846b24a957491de4e3", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "Not a command \r\n", "request_sample": "Not a command \r\n", "payload_snippet": "Not a command", "evidence": { "request_sample": "Not a command \r\n", "payload_snippet": "Not a command", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "77041c0cfd4439dc8cdda7fdbfde2571d0c5f879", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "Not a command", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "Not a command", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "Not a command", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "Not a command", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:05 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7ba0cba937b3e4ab417fce5fba4756814d5d31b4", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de1b71cb0451c5e1ca4074f0c12ea2268a32e2d6", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:14:05 UTC	TCP	110 · POP3	pop3	Sonde POP3 pop3 probe · via POP3:110 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload 3�versionbind Pourquoi cette classification : Rafale d'authentification SSH · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 3�versionbind Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 32, "payload_entropy": 3.4681390622295662, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7ba0cba937b3e4ab417fce5fba4756814d5d31b4", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "service_name": "pop3", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "46465d89e913d51c2a2e843df882c387", "path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 45 }, "payload_preview": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "request_sample": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "payload_snippet": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "evidence": { "request_sample": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "payload_snippet": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "20be9050527ce130e7547ce8e7c9b94a9b3a9396", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "3\ufffdversionbind", "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 50%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0000\u001e3\ufffd\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "pop3 probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "3\ufffdversionbind", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:13:58 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d82a6eb2523f8353402da03eb253964f349b05c", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
17/06/2026 03:13:52 UTC	TCP	110 · POP3	pop3	Sonde PostgreSQL postgres probe · via POP3:110 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload ��S�+{��EN��9��[��#�J� \|zSGXzr�i�I��q\��,v�)�xP[%y�2�+�/�,�0̨̩� �� /5� �#�'<�� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��S�+{��EN��9��[��#�J� \|zSGXzr�i�I��q\��,v�)�xP[%y�2�+�/�,�0̨̩� �� /5� �#�'<�� Requête brute (extrait) ��S�+{��EN��9��[��#�J� \|zSGXzr�i�I��q\��,v�)�xP[%y�2�+�/�,�0̨̩� �� /5� �#�'<��E � � + 3��˔z�.�\�-�PX��(l�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 1481, "payload_entropy": 7.715609095785564, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "449517742a599f946a186910e8d4c234ab9ecde4", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "07f5a003924de27607b468620745bcbd", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S\ufffd\b\u001d+{\ufffd\ufffd\ufffd\u001aE\u0015N\ufffd\ufffd\u0014\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSG\u0003Xz\u000er\ufffd\u0003i\u0001\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S\ufffd\b\u001d+{\ufffd\ufffd\ufffd\u001aE\u0015N\ufffd\ufffd\u0014\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSG\u0003Xz\u000er\ufffd\u0003i\u0001\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\u001a\u0018\ufffd\u0004\u02d4z\ufffd.\u0012\ufffd\\\ufffd-\ufffdP\u0013X\ufffd\ufffd(l\ufffd\ufffd\ufffd\u0005", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S\ufffd\b\u001d+{\ufffd\ufffd\ufffd\u001aE\u0015N\ufffd\ufffd\u0014\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSG\u0003Xz\u000er\ufffd\u0003i\u0001\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb4a6f84a916365c448484364335d4d5ceb03351", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S\ufffd\b\u001d+{\ufffd\ufffd\ufffd\u001aE\u0015N\ufffd\ufffd\u0014\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSG\u0003Xz\u000er\ufffd\u0003i\u0001\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "\ufffd\ufffdS\ufffd+{\ufffd\ufffd\ufffdEN\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSGXzr\ufffdi\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd", "attack_vector": "postgres probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S\ufffd\b\u001d+{\ufffd\ufffd\ufffd\u001aE\u0015N\ufffd\ufffd\u0014\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSG\u0003Xz\u000er\ufffd\u0003i\u0001\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "postgres probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdS\ufffd+{\ufffd\ufffd\ufffdEN\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd#\ufffdJ\ufffd \|zSGXzr\ufffdi\ufffdI\ufffd\ufffdq\\\ufffd\ufffd,v\ufffd)\ufffdxP[%y\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
17/06/2026 03:13:52 UTC	TCP	110 · POP3	pop3	Protocole wire MongoDB mongodb wire protocol · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags mongodb_hello_probe net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload ;�admin.$cmd��hello�?>�admin.$cmd��isMaster�? Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Faible · 38 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0363 pat-0364 Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Mongo isMaster legacy Mongo ismaster command NFS RPC mount STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ;�admin.$cmd��hello�?>�admin.$cmd��isMaster�? Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 121, "payload_entropy": 3.1150230512705406, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e6bf60ca632608bda6c12566a8ed3c30ad95fc71", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0363", "pat-0364" ], "kb_rule_ids": [ "pat-0363", "pat-0364" ], "matched_patterns": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Mongo isMaster legacy", "Mongo ismaster command", "NFS RPC mount", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0363", "pat-0364", "pat-0532", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": false, "classification_parent": "mongodb_probe", "service_name": "pop3", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "de7aa004722a47b7532d77bd58324675", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "evidence": { "request_sample": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c4d77aecdbe6d7dae5a7029772683bdb665dd88c", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?", "attack_vector": "mongodb wire protocol \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0363", "pat-0364" ], "tags_summary_labels_fr": [ "pat-0363", "pat-0364" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000>\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0017\u0000\u0000\u0000\u0001isMaster\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "mongodb wire protocol \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdisMaster\ufffd?", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_hello_probe", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:13:52 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload GET / HTTP/1.1 Host: 62.3.50.33:110 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 45 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:110 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:110 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 188, "payload_entropy": 5.372025768369732, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bfc4ad35009ea1cb25593052c6d41e50b4e98163", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "37fc73add798c6789f65efefc8646e2e", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9ac512dc6ce1a3a1262256f5eed8243accab7269", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:110\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:13:52 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload 7J��I��:�(��cěÈ��yHNL��~��0��$ێ+ ��7�\| Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 7J��I��:�(��cěÈ��yHNL��~��0��$ێ+ ��7�\| Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 64, "payload_entropy": 5.831954882778696, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0bc29430209a1501e4a4048f59725d53efecdcd6", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8a31f156a610b96db3720ab789812d07", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "request_sample": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "payload_snippet": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "evidence": { "request_sample": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "payload_snippet": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6149771af79c30981d2941712ba0ced0a618a59f", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\ufffd\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\ufffd\ufffd\ufffd7\ufffd\|", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\u0019\ufffd\u0017\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\u0016\u0001\u000e\ufffd0\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\u0000\u001d\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\u0013\ufffd\ufffd\ufffd7\ufffd\|\u0002", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "7J\ufffd\ufffd\ufffdI\ufffd\ufffd:\ufffd(\ufffd\ufffd\ufffdc\u011b\u00c8\ufffd\ufffd\ufffd\ufffdyHNL\ufffd\ufffd\ufffd~\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\u06ce+\t\ufffd\ufffd\ufffd\ufffd7\ufffd\|", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:13:52 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_bruteforce_burst net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Pourquoi cette classification : Rafale d'authentification SSH · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "90a21a7c7c63b720da188cea6b1e41a0aed5b30f", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d82a6eb2523f8353402da03eb253964f349b05c", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 55%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_bruteforce_burst", "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }
17/06/2026 03:13:49 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload Not a command Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Not a command Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 16, "payload_entropy": 3.327819531114783, "port_category": "well_known", "org": "Google LLC", "service": "pop3", "app_proto": "pop3", "asn": 396982, "country": "BE", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0bc29430209a1501e4a4048f59725d53efecdcd6", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad32b372bf9a8e846b24a957491de4e3", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "Not a command \r\n", "request_sample": "Not a command \r\n", "payload_snippet": "Not a command", "evidence": { "request_sample": "Not a command \r\n", "payload_snippet": "Not a command", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "03b20b30460b77c53f5d4f61b55969f14b8872bc", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "Not a command", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "Not a command", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "Not a command", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "Not a command", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated" ], "asn_dc_heuristic": true }

34.156.129.15

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence