{"ip":"34.180.20.149","exported_at":"2026-06-17T22:02:54+00:00","period_days":30,"metrics":{"events7d":60,"distinct_ports":1,"distinct_classifications":2,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":34,"max_risk_score":89,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal","config_leak_scan"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":35,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"T1083","top_mitre_technique":"TA0007","top_mitre_count":30,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":74,"behavior":0,"geo":40,"protocol":35,"novelty":25,"risk_score":68,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":100,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["SIGMA-web-config-leak","Http Sensitive","Upstream","Waf Score"],"tags_summary":["SIGMA-web-config-leak","INT-http_sensitive","INT-upstream","INT-waf-score"],"attack_vector":"config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/project\/.git\/config","protocol_details":{"http_method":"GET","http_path":"\/project\/.git\/config","request_line":"GET \/project\/.git\/config HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026","port":9008,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/project\/.git\/config \u00b7 UA Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3)\u2026 \u00b7 HTTP:9008","evidence_snippet":"GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9008\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi","target_port_label":"9008 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF","classification_reason":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","classification_reason_label_fr":"Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF","payload_preview":"GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9008\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi"},"events":[{"id":8899328,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44288,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/backend\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00225f54e573b05bff14b77d1814d3bb5eb9b4150213\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00222482ac6c987d570b89dfba6cfee3dc3ac194789d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.437137362580047, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022183a3662d1195374de7eb10fa59bc29b15872c0b\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002229bf1f4d0981ae0108cf486395724145\u0022, \u0022payload_hash\u0022: \u0022af2d3ef7cad37e81d70357a1d868d200\u0022, \u0022path_pattern_hash\u0022: \u00222de751ea5a34e7a22b69004dc29faa62\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c20f48bca6e2d304fb5dba086dd731665c54bb31\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/backend\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/backend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/backend\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/backend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8899329,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44302,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/frontend\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00225c62382c707e3594f9b439b35099cfa8d48abbcf\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u002279637aca3de7d81f8030ec893ab364d04845083c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.397076564154007, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022141eb30d5b5e478bc8d9b0518a831cb236eade3c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221aa9a3b607358d5fc8539c161a50040b\u0022, \u0022payload_hash\u0022: \u00221dc88b5ee9f20e7fe738f9c2b98f578e\u0022, \u0022path_pattern_hash\u0022: \u0022916bc8abf1fa018cce797ab5bdb418f0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022140560acec83c3689ba6ecebfcccebf60588f8f5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/frontend\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/frontend\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/frontend\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/frontend\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":245},{"id":8899330,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44314,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":31,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"GET","http_target":"\/api\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022ec914b4f2e5748c1c72bd42fb71d3dcedf183507\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00224d60538c38eae0fe13cbc99a2ea3645cbb337669\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.35836637120889, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 9, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022270844b1b8c0a3604ca3dc4cb29a67b3f3ceaaf1\u0022, \u0022event_fingerprint\u0022: \u00221d376e4879f6725db0bf8e8c2db3717c6ec2691a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b47b943be9dce335a816a94292b5117a\u0022, \u0022payload_hash\u0022: \u0022d94d535ec86ba4d13e98b40d7fcc65f3\u0022, \u0022path_pattern_hash\u0022: \u00223ed56f63a5d3aef03e8853abb49b3eea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWe\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobile\/14A5345a Safari\/600.1.4\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobile\/14A5345a Safari\/600.1.4\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWe\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/api\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobile\/14A5345a Safari\/600.1.4\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobile\/14A5345a Safari\/600.1.4\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWe\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002201f9aeac0227ca51de2ed36d33dde2eabe0ff904\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobil\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWe\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/api\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobil\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/api\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWe\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 10_0 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) GSA\/18.0.130791545 Mobile\/14A5345a Safari\/600.1.4","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_api\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":279},{"id":8899331,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44324,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/www\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022746c97dbb13d6984570db47d357e3dba2d4e421c\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00227b5c6d1b9506a8d5fe958dbcf1ffdcdd61f34f9e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.431301283256407, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022d2a01d82de93e0f2d13924442d8dcf2ed29d2250\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f2568922252b755c279e512ec2341397\u0022, \u0022payload_hash\u0022: \u0022d010624b177ed0a9408798dbf551356d\u0022, \u0022path_pattern_hash\u0022: \u00222067f182832f5bbc5f3205656471af53\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/www\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/www\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e68cde8357e7b5dc210e5dbc92da723655b9bbba\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/www\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/www\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/www\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/www\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/www\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":243},{"id":8899332,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44342,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/site\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022289f4c295ae7f09c1eee743f7f4cd8518b47179b\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u002299d75e39037b11054e155a03133c80282ea1c965\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.372917866152365, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u00228e1b694bc8726b582f7aa200d051b667064409fe\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002295883dd05f3e1c6a42007821f8bf3c58\u0022, \u0022payload_hash\u0022: \u002222be4289794c621fdebff93ee0015105\u0022, \u0022path_pattern_hash\u0022: \u00226901c63c2daa99b93d9d7c027371b852\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/5\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/site\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/5\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/site\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/5\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a98667b44b3c2cc60f11cb7f9c7600d4c17c3cb3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/site\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/5\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/site\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/site\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/site\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/site\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/5\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit\/532.5 (KHTML, like Gecko) Chrome\/4.0.249.0 Safari\/532.5","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8899333,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44326,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/htdocs\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022b61212a69dc817b83cb606daa166c8a2cbe8d77c\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u002291751256d60394a8b0340bb86ad1a8313b8dadfa\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.402189393656948, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022516ffdb8216e61b83ca11ae4616a0c8702ea4d9c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ee19a236baad72405498434a7b8f810e\u0022, \u0022payload_hash\u0022: \u0022ae57ed768ce74580abe957d8a36d60aa\u0022, \u0022path_pattern_hash\u0022: \u00229d5b4b02a118c63f9864fb4303c2c2fa\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f4eec9866b42be618f7f7bdf616051f4fa854e99\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/htdocs\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/htdocs\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/htdocs\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/htdocs\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":259},{"id":8899334,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44356,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/assets\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002229f17cdabaff470e5d7e53691767434a05d1319e\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022e81ca9a0554d6690b053d3acc558b05833b1c696\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 245, \u0022payload_entropy\u0022: 5.401751480886214, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002241a632ce9f845d17d75e1dc8ae89fdb8ee3131bf\u0022, \u0022event_fingerprint\u0022: \u00225d8fd376ba98b14ce20012b88469e240c65caa69\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e9ae7853e0128d1938250915a8cc61e8\u0022, \u0022payload_hash\u0022: \u0022b6277ae4455baa07dc0a47bfc68d9726\u0022, \u0022path_pattern_hash\u0022: \u002270c13b709566f458c71892575aa001e0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220bd42c7fdcd6c2fd714ee0ffb277dfaa1b41725d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/assets\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/assets\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/assets\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/assets\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_assets\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (X11; U; Linux i686; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.277.0 Safari\/532.8","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_assets\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":245},{"id":8899335,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44370,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/html\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022e6e6f1a40b7ab3bfb5ec8ac6fc82910ab9af46f3\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022ed148acba970ce3061829b4dd97608d1a6997773\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.4075581637243255, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022e7c1f6dff67734eb7222b12587cbb56859707fc4\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ac75ec6b3d89b65d03b6493aea5f1b4b\u0022, \u0022payload_hash\u0022: \u0022a681cf00c20e3465b0ee19b409d87865\u0022, \u0022path_pattern_hash\u0022: \u0022985e825857a4aae20b7bcc62b05870c4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/html\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/html\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f4fa65b3ee5f6c7a1f52486db40c7706d7cefb7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/html\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/html\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/html\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/html\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/html\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Droid Build\/FRG22D) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":268},{"id":8899336,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44386,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/build\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022bcd9515135b2b38273255169504ce7814fcefdc2\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00226aeebdefc1a7f3903e2f068a42149eb080915c7b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 238, \u0022payload_entropy\u0022: 5.411678094734618, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u00224bd0c32782f52a8be02d05be1e6a86150ca8fd15\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ed6246ba1d94277a15a85327855f9593\u0022, \u0022payload_hash\u0022: \u0022bd2bee63a3594c5ca1a1f50d4f9a2c05\u0022, \u0022path_pattern_hash\u0022: \u0022203627ae3f02d834b42dc778d4676888\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/build\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/build\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f186cba674bff51779bc53f83f140b10e1c9592e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/build\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/build\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/build\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/build\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/build\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, lik\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/28.0.1478.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":238},{"id":8899337,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44400,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":14,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/web\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022ed6f4494853a002e138ba329dfe170be785a2551\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022f32c2ab0d87a20f2415a1cf44997c48739d87917\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 158, \u0022payload_entropy\u0022: 5.0724863614097835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 64.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022072f201024570fdc0f1f8220234ae002412b0953\u0022, \u0022event_fingerprint\u0022: \u0022cf2419685bf9a09c406b57fd8027c923bf8d1d5c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002217614ef4c26ce72b88e58962b18dd089\u0022, \u0022payload_hash\u0022: \u0022af74d52a0ca8874fdf74755a30dd2322\u0022, \u0022path_pattern_hash\u0022: \u00222be87edfa036da6580e700b188114b92\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encodin\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/.git\/config\u0022, \u0022user_agent\u0022: \u0022facebookexternalhit\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encodin\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/.git\/config\u0022, \u0022user_agent\u0022: \u0022facebookexternalhit\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encodin\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d9707548c55661224811a70a3ae8c753ea27a752\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022facebookexternalhit\/1.1\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encodin\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/web\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/web\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022facebookexternalhit\/1.1\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/web\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/web\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: facebookexternalhit\/1.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encodin\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"facebookexternalhit\/1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":7,"bytes_in":158},{"id":8899338,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44402,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/static\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002241d49640cf6562d0508fdde1291f64abe488d24f\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022521a53c26ae63c9f634cf4a8753a3e9a31c14380\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.3785191429265895, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a7fff79ab2d575ec056150e23300ac7a7f203620\u0022, \u0022event_fingerprint\u0022: \u0022050b90d67977091fe83d0729e9b7c06121c5b094\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f389b8ac4b7dccb1a8cfb683ebf4eeca\u0022, \u0022payload_hash\u0022: \u0022e67d5a32491f944a669d00c0317975ae\u0022, \u0022path_pattern_hash\u0022: \u00228991b5397bf20ed66988d72bf753894a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/static\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\/601.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\/601.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/static\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\/601.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\/601.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022139179b14c6fba628613e54fcde70e473a484c8a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/static\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/static\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/static\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/static\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/static\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_static\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (iPad; CPU OS 9_3_2 like Mac OS X) AppleWebKit\/601.1.46 (KHTML, like Gecko) Version\/9.0 Mobile\/13F69 Safari\/601.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_static\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":263},{"id":8899339,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44408,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/dist\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002264b9455dfe735d628cce750e68df424617391eb9\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022b2ec2395164738dbd60ce81f264be6255104bfff\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.441114272500005, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u00220c1ad249057eed9fa4d908138d54845b8aab3e37\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221aff1e9f841b5dfe178924605f88fd9c\u0022, \u0022payload_hash\u0022: \u00226b530879535f835f57bebcbdd2d0b654\u0022, \u0022path_pattern_hash\u0022: \u0022dd1606cd54dc95eed2c024184678427e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022da771bb011c4ff0357ec60b11ff04333e6e70d38\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dist\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dist\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dist\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dist\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":258},{"id":8899340,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44410,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/admin\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00223075f3485c7c4d9b7be4a15ee65e557594c9f048\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00220d4fda54689ca91aa1cd9ce83cd7fe814ab26468\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 270, \u0022payload_entropy\u0022: 5.419601361187598, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 10, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ff1a4bb332b31889008b7d1dec5dc38cb78c2e66\u0022, \u0022event_fingerprint\u0022: \u0022051898b490b1308c5b6b799a61c480a857207f67\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022ecddbcf98c5f91df1de5a1fbc9c482fa\u0022, \u0022payload_hash\u0022: \u00225d5c91cdbc69a79df37f9cd2fb8e88a1\u0022, \u0022path_pattern_hash\u0022: \u0022b0ac58c50c927a70e841faaa3da36222\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnect\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002284dc7ba4bebb3370a116feede23be45003a36d26\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobil\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobil\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 2.2; en-us; ADR6300 Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":270},{"id":8899341,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44420,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/portal\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002248fc03f546e86a328ab25502c8c6180ec7f13b31\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022c6c2b01731ed2b569c9ab907e9a96206a2cfc6cc\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 259, \u0022payload_entropy\u0022: 5.4040057147171785, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022fd59de914852ab7638908f724642d3178aaf9bcf\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e8f256fddaecd8b08900bf092a3dd0a9\u0022, \u0022payload_hash\u0022: \u0022e98e9410da7c2a365c6181cb9b645e0a\u0022, \u0022path_pattern_hash\u0022: \u0022b68e69ddda3386f78de437bb71fa9236\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a702327f79bf2e5d5b0dcf97c4e7d77f63d9b64c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/portal\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/portal\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/portal\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/portal\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; SM-G975F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":259},{"id":8899342,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44430,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/public\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022ab6be472386c2a172145f5ee25f450ea8a5c0f51\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00228257582ae447b9a2124e0414764cac0aac8808de\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 261, \u0022payload_entropy\u0022: 5.448528034564376, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u00221dcd6c6e13a288e6556ab8c21e44f76295878b25\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227a059e686bc1fefbc7768bdfc19134e4\u0022, \u0022payload_hash\u0022: \u00229ce40fcd50daa9cdd8d4cbaa16e6cb46\u0022, \u0022path_pattern_hash\u0022: \u002278b85c05b86f9869fecb7907511b414c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/public\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clos\u0022, \u0022payload_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/public\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: clos\u0022, \u0022payload_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022354510a5d579598a2c4ca649f6dac339f011b16f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/public\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/public\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/public\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/public\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/public\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":261},{"id":8899343,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44442,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/wp-content\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00228722e02703dc1bbf95cbc71c136b8a1b4f99dd1c\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00221cbb6121d6675be288abb212d6a93556d924de3d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 292, \u0022payload_entropy\u0022: 5.371101235661317, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u002235f8448c7be540d5441c66c046f8595b68a4a44f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222cc5e979b4aa5d7571892cda12c371fb\u0022, \u0022payload_hash\u0022: \u002279743150323195149d0583f12e0d1a71\u0022, \u0022path_pattern_hash\u0022: \u0022653b421a6e10a22436e18cc595f6a1ee\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricsson\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricsson\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricsson\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227a6c77d6e4f6814c7386d52342fce51fb6816e22\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Versi\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricsson\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wp-content\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wp-content\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Versi\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wp-content\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wp-content\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricsson\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; U; Android 1.6; es-es; SonyEricssonX10i Build\/R1FA016) AppleWebKit\/528.5  (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":292},{"id":8899344,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44454,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/blog\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00228e92d936d6a6024e533f7637d21abbccadcee16c\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00221813dede65bdf71d338345f47e16a42344128e28\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 277, \u0022payload_entropy\u0022: 5.377192529902058, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u00225dca9537a7d767177812608b8403d70b33ca32d1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b55991730c8da276eaad7e5a4d953375\u0022, \u0022payload_hash\u0022: \u0022599f4647bd2a124323a74c09d5180830\u0022, \u0022path_pattern_hash\u0022: \u0022daa6f35b77a4b5cee3d40cc9dc6869ad\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleW\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleW\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleW\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022768c5b91894b0e5378c45a988e51705e40f5ca57\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleW\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/blog\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/blog\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/blog\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/blog\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleW\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":277},{"id":8899345,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44470,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/dashboard\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002287ebac2b3cc7ed6ba4ee408a82877492dcfa5d2e\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00228e8dab3e424b71a244774110fadcc774ba40fa59\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 268, \u0022payload_entropy\u0022: 5.420007317045859, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022989dbb03916bfad31f1cc2fcce67a57732a32cc4\u0022, \u0022event_fingerprint\u0022: \u00228adeaa748274321cb5d4bffabe1d618156274bde\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b05785e0cf1ecbcc64b771618a4d8e5e\u0022, \u0022payload_hash\u0022: \u0022fd863026555ef1bd607491ee72b9ea3e\u0022, \u0022path_pattern_hash\u0022: \u002233b0aba70ccc7970e9e866f8e50aaddb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnectio\u0022, \u0022payload_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002285ff1cfa18f10f64f41dd8f61ac947b5b5a9a103\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dashboard\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/dashboard\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/dashboard\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/dashboard\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_traefik\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_traefik\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":268},{"id":8899346,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44478,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/shop\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002282bc08fcd754aebae7cb8412656fd0b2c0b04c8c\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022802d0aecf0b84c68ef00c159917e7dd44f6dfd34\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 263, \u0022payload_entropy\u0022: 5.372224214807448, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a773bb876d08e7526957a5dd0c3e03e4dfe84a26\u0022, \u0022event_fingerprint\u0022: \u00220e86c3620c509a5c2cca5d6f932f221beed8daac\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002243f45cfe9fd28ea822e7317744b01c05\u0022, \u0022payload_hash\u0022: \u002290e9f03a3592d750fdc601ccbd72db35\u0022, \u0022path_pattern_hash\u0022: \u00226603e8dbaffaf78a6758aff077d9de4a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/53\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/53\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: cl\u0022, \u0022payload_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/53\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227248d76d9cf747e42b66f8b16ca170ce25da9565\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/53\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/shop\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/shop\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/shop\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/shop\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/53\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_shop\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_shop\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":263},{"id":8899347,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44490,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":29,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/v3\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002296e1db10c74ac5f8e9c335efe735320e22b5dbee\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00224bf76a52a29633f52f17f2cac5ee4daa8e021adb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 184, \u0022payload_entropy\u0022: 5.284624199566195, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 89, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002228c15f9a9769aff3b5c40f49c99ad3890e97ecb0\u0022, \u0022event_fingerprint\u0022: \u0022133d24936db2953484f8bec9e29b8af25a9061e2\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 89, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022dd31faa4256f873e33967d39c189a795\u0022, \u0022payload_hash\u0022: \u00221fce38dfe8f783a6754ac10b4c79ce7d\u0022, \u0022path_pattern_hash\u0022: \u00224562786c79a4c5f0790c3581071f5847\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 89}, \u0022payload_preview\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Char\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Char\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Char\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022block\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228ed293419cf933cd91ab55cdf77a343b56bbe2d1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Char\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v3\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 89\/100 (Critique) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 89, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 89, \u0022risk_label\u0022: \u0022Critique\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022block\u0022, \u0022recommended_action_label\u0022: \u0022Bloquer (recommand\u00e9)\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v3\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v3\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v3\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\\r\\nAccept-Char\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_block\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_metasploit_ua\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1)","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_metasploit_ua\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":184},{"id":8899348,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44500,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/wordpress\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002292bf09d6d5b04766787d6daa8754d6c469e16ccc\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022466d1ef9599315e8ea185d729b1bb7f4ef3f3e3e\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 199, \u0022payload_entropy\u0022: 5.18840036878758, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u002203d63973b78501917499f0730f639620f8ed318c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229426bba269712bc8a4a40109a13e67eb\u0022, \u0022payload_hash\u0022: \u0022407dfa45fc995c033cdd4494ed6602e3\u0022, \u0022path_pattern_hash\u0022: \u0022065fde2a84971d9e936ccb4d03006f9c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2993ef4028da0e44458160061957f72b911ba5b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wordpress\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wordpress\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/wordpress\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wordpress\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Opera\/9.80 (X11; Linux i686) Presto\/2.12.388 Version\/12.16","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":199},{"id":8899349,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44516,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/laravel\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022c1829e33905e469435482d5a99cb1058fc3c4be7\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022ff65c052e15f784544b91aafeff8e6c3f996fc2a\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 252, \u0022payload_entropy\u0022: 5.403739654095744, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u002292581a41b4d6154ab0936225627d8d29bdddf8d3\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220744a14798456c3620dc800647d69ee1\u0022, \u0022payload_hash\u0022: \u0022f2f2c87e80e22db7511776d221246830\u0022, \u0022path_pattern_hash\u0022: \u00223a3de1279fd8fe4dc4799f8620f7768e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002290f1500b822934c636b92ef1ad972e08c55874b9\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/laravel\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/laravel\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/laravel\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/laravel\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":252},{"id":8899350,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44522,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/symfony\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00221d5febf1cb72eeb60d87e03b5c6a11b1afb00eb1\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022256775bfb3e8fd0855bebb6ef917cf83cff8a368\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.410865299734548, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022e4635f7cc12a737b8b254a6fadf8de6da5e6c832\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a1edefbef02d39d16df9c5617dc14238\u0022, \u0022payload_hash\u0022: \u0022a398db98a96900522a6483cfbc6358f7\u0022, \u0022path_pattern_hash\u0022: \u00228b0b254049cc28b88f641713d31106e0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d07700a76adaba7ce869ec5f9159e1b3dcff6a8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/symfony\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/symfony\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/symfony\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/symfony\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; F5321) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":260},{"id":8899351,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44524,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/code\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022d15cb68f57489ee8a3db90e9f82d6ffde6618ef9\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022538da175681b2052ab512cad0fb3bd57e81adff0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 251, \u0022payload_entropy\u0022: 5.412817302193409, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022bc745fcb911b3c16e37b87eadeba00f49e40272f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b7f4e1a3426650d50697366eb233b6e4\u0022, \u0022payload_hash\u0022: \u0022bbee999fe4d96e785c92a4012377ec59\u0022, \u0022path_pattern_hash\u0022: \u0022dda1558dfc88b8ae947dda6da613b7f7\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/code\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/code\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022086bdc1c65626fe9cc3efa7423ea4db7f28b10c0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/code\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/code\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/code\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/code\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/code\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.119 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":251},{"id":8899352,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44532,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/project\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002226256ae137bd4c078bf51108cfca2a4811363f6e\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u002268976db99265042d7b0c3b91df3fbefc1a56cd37\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.394377816427604, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002296d39bb6273d9bfcafdfc675b57621a26b59331f\u0022, \u0022event_fingerprint\u0022: \u0022b19410598561fa5b11e6e1b1a87431cfb2637cc3\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00224efa66e4bf9401c2f006c800e3c5ba2f\u0022, \u0022payload_hash\u0022: \u00229b5b4688916d0c0f5fcd2c969e4f41f2\u0022, \u0022path_pattern_hash\u0022: \u002240d5006de80bb36cea868dfbe43c4ff0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/project\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/project\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\u0022, \u0022payload_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e635a5650f725418eb9ac226ec73accef2441484\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/project\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/project\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/project\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/project\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/project\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKi\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":260},{"id":8899323,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44238,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002295d63f6129759fbfd7715126f77f2d0f6a99428e\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022e2f253eab0d0cf5422d24d22ae2a4954398768df\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 247, \u0022payload_entropy\u0022: 5.379427301788664, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022eb894b2ab34a35bf670152896386a7511c9055f6\u0022, \u0022event_fingerprint\u0022: \u00223db4fac77cef3254b97d6b91720f612e22d37382\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 270, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0198\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0198\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0198\u0022], \u0022matched_pattern_names\u0022: [\u0022Probe \/.git\/config\u0022], \u0022pattern_ids\u0022: [\u0022pat-0198\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002216f8c6ef3fdeee63db1a03394fea0ccb\u0022, \u0022payload_hash\u0022: \u002210336ada3999054c3c0d6d6ba6de7877\u0022, \u0022path_pattern_hash\u0022: \u00223ec26e4f0817b37785cd5e68fed88892\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KH\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KH\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KH\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002208d118461e9ce716e558d2e323f5e84000023c29\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KH\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022pat-0198\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022pat-0198\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KH\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Linux; Android 8.0.0; SM-T820) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_probe_git\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":247},{"id":8899324,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44252,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":21,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/app\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022490f7b7b2123279684930fe922cd9a44437517dc\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022c0d576333b61f38bb5785040d2824435407a4c84\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 168, \u0022payload_entropy\u0022: 5.254129981916952, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 92.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 65, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b780d7c311c34f9ba1c15d680b46d8da9562818e\u0022, \u0022event_fingerprint\u0022: \u0022d88cd9598287237babca2cbf75fe38cc8b8df541\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 65, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00223e7cd1f97a4d30d83792d5575bda9568\u0022, \u0022payload_hash\u0022: \u0022a6033d92881e7a18813bb1fe4a43c993\u0022, \u0022path_pattern_hash\u0022: \u002287d63e686c8d80bd28afc993649c7598\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 65}, \u0022payload_preview\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAcce\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (PLAYSTATION 3; 2.00)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAcce\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/app\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (PLAYSTATION 3; 2.00)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAcce\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002232d956778df4b18024f0dfac30a0b22cb7fd6ce7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/app\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (PLAYSTATION 3; 2.00)\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAcce\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 92.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 65, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 65, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/app\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (PLAYSTATION 3; 2.00)\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/app\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (PLAYSTATION 3; 2.00)\\r\\nAccept-Charset: utf-8\\r\\nAcce\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (PLAYSTATION 3; 2.00)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":168},{"id":8899325,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44262,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":28,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/v2\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u002224e6a14e022b054c4ea61dd8bf5350ebf224fae4\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u00223a5f2466c34928bb38a61b739c70bfc69a077a30\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 236, \u0022payload_entropy\u0022: 5.390499557039005, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 68, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ce114156524f0dd6dbe8271b093d90d857aaa123\u0022, \u0022event_fingerprint\u0022: \u002252359e1af329d155f0d4c3dde4ecfbe9892ec240\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022823f4d5313365bf117e760dc75e9acd4\u0022, \u0022payload_hash\u0022: \u0022e9aa3471d2f7000ffba6bd2b28c62703\u0022, \u0022path_pattern_hash\u0022: \u0022fcafe4006602b874bcf9d18118e88566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 68}, \u0022payload_preview\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d367ef445cf06182f64567b154cc9598dcf8ccef\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v2\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 68, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 68, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v2\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v2\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v2\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Ge\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":236},{"id":8899326,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44270,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":27,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/src\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u0022f3f687c43c84055959ed3c9c679d5919ea097c92\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u002246e050e820087702ef14a381ebad48881db62e31\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 194, \u0022payload_entropy\u0022: 5.299150823813033, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 89, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225440a2c5c4e1383e16098b01a3da66e14b65be2d\u0022, \u0022event_fingerprint\u0022: \u0022abee38cc99b458526525b57a20f640ed9575b68c\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 89, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228c8a98262897cefb744b7a5b8f9999a2\u0022, \u0022payload_hash\u0022: \u00220150d3254adb83d099a021bbedadfc18\u0022, \u0022path_pattern_hash\u0022: \u002283762003e224a5603ed7ad8ff32c59fc\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 89}, \u0022payload_preview\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/src\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/src\/.git\/config\u0022, \u0022user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022block\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d252015c6e8a2050d6c718b1f4e95a03a4c6c3d3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/src\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nA\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/src\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 89\/100 (Critique) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 89, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 89, \u0022risk_label\u0022: \u0022Critique\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022block\u0022, \u0022recommended_action_label\u0022: \u0022Bloquer (recommand\u00e9)\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/src\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/src\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/src\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5\\r\\nA\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_block\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_metasploit_ua\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"Mozilla\/4.0 (compatible; MSIE 6.0; j2me) ReqwirelessWeb\/3.5","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_metasploit_ua\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":194},{"id":8899327,"ip":"34.180.20.149","ts":"2026-06-14 13:09:11.000000","proto":"tcp","src_port":44280,"dst_port":9008,"service":"http","classification":"config_file_probe","waf_score":34,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022]","http_method":"GET","http_target":"\/v1\/.git\/config","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022git\/config\u0022, \u0022http_ua_hash\u0022: \u00220abda20fb0c7a964ef9c63b2287640e1b7b03691\u0022, \u0022http_host_hash\u0022: \u0022df95e9c786bf071ffbf019574381ff679a557a7a\u0022, \u0022http_target_hash\u0022: \u0022852e68c3e2549d34d36a9b5a3605571990e68c97\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.069430592697483, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 69, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221f5741a796ad117f65b0f779a201c310f1f14800\u0022, \u0022event_fingerprint\u0022: \u0022c037140d233e197c8fda9da591ad75cb8420f1f8\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 215, \u0022precision_signals\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222ae2893ad48563e5bfca62563940cc75\u0022, \u0022payload_hash\u0022: \u002266200e53f5b5a07e3a4776b21d221a0f\u0022, \u0022path_pattern_hash\u0022: \u00220efea7c22b821f254abb056b9239c5c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 69}, \u0022payload_preview\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAcce\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022user_agent\u0022: \u0022TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAcce\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022user_agent\u0022: \u0022TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022leak-0\u0022], \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAccept-Charset: utf-8\\r\\nAccept-Encoding: gzip\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAcce\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022725efc2843735cbac7f52a57f0aa1a49cb4ec84a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAcce\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v1\/.git\/config\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 69, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 69, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022SIGMA-web-config-leak\u0022, \u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v1\/.git\/config\u0022, \u0022request_line\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9008 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v1\/.git\/config\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v1\/.git\/config HTTP\/1.1\\r\\nHost: 62.3.50.33:9008\\r\\nUser-Agent: TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)\\r\\nAcce\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9008","http_user_agent":"TurnitinBot (https:\/\/turnitin.com\/robot\/crawlerinfo.html)","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950513:leak-0\u0022, \u0022http_backup_file_scan\u0022, \u0022http_git_exposure\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":8899285,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":43972,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.838147895830394, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002279aca2c98208ec1dabbc1b9511522c9f\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001a.Fzx8\ufffdU\\u001b\ufffdt\\u0017\ufffde!\\u0013\ufffd\\u0015\ufffd\ufffd\ufffd\\u0016\ufffd[@Iq\ufffd\\u0012\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\\u0004\ufffd\ufffd\\u001a0\ufffd_\ufffd[\ufffd@\\u0005O\ufffd[\\t\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001a.Fzx8\ufffdU\\u001b\ufffdt\\u0017\ufffde!\\u0013\ufffd\\u0015\ufffd\ufffd\ufffd\\u0016\ufffd[@Iq\ufffd\\u0012\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\\u0004\ufffd\ufffd\\u001a0\ufffd_\ufffd[\ufffd@\\u0005O\ufffd[\\t\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd#1\ufffd\\u0006e]=\ufffdet5\ufffd\ufffd\ufffd!Z\ufffd)\ufffdu\ufffdYfvOK\ufffd#\\u0018\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001a.Fzx8\ufffdU\\u001b\ufffdt\\u0017\ufffde!\\u0013\ufffd\\u0015\ufffd\ufffd\ufffd\\u0016\ufffd[@Iq\ufffd\\u0012\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\\u0004\ufffd\ufffd\\u001a0\ufffd_\ufffd[\ufffd@\\u0005O\ufffd[\\t\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a8e1934bff3dccf9c5a1de15571f066de580e5dc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001a.Fzx8\ufffdU\\u001b\ufffdt\\u0017\ufffde!\\u0013\ufffd\\u0015\ufffd\ufffd\ufffd\\u0016\ufffd[@Iq\ufffd\\u0012\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\\u0004\ufffd\ufffd\\u001a0\ufffd_\ufffd[\ufffd@\\u0005O\ufffd[\\t\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd.Fzx8\ufffdU\ufffdt\ufffde!\ufffd\ufffd\ufffd\ufffd\ufffd[@Iq\ufffd\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\ufffd\ufffd0\ufffd_\ufffd[\ufffd@O\ufffd[\\t\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u001a.Fzx8\ufffdU\\u001b\ufffdt\\u0017\ufffde!\\u0013\ufffd\\u0015\ufffd\ufffd\ufffd\\u0016\ufffd[@Iq\ufffd\\u0012\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\\u0004\ufffd\ufffd\\u001a0\ufffd_\ufffd[\ufffd@\\u0005O\ufffd[\\t\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd.Fzx8\ufffdU\ufffdt\ufffde!\ufffd\ufffd\ufffd\ufffd\ufffd[@Iq\ufffd\ufffd \ufffdD\ufffdN\ufffd\ufffd0A\ufffd\ufffd\ufffd\ufffdf4\ufffd\ufffd0\ufffd_\ufffd[\ufffd@O\ufffd[\\t\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899286,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":43982,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.755317311844681, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002295e77a86361042083899c1ed1034cd27\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003:h\\u0014\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\\u0006\u003E\\u0014\u079f\ufffd\\u0006{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffd\\u0010\\u0018Ag{\ufffd\ufffd\\u0016\\u0001}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffd\\u0004J\\u001b,\u016f\\u00009M\ufffd*\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003:h\\u0014\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\\u0006\u003E\\u0014\u079f\ufffd\\u0006{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffd\\u0010\\u0018Ag{\ufffd\ufffd\\u0016\\u0001}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffd\\u0004J\\u001b,\u016f\\u00009M\ufffd*\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 ?bf\ufffd\\u0006oq+\u00c8\ufffdr\ufffd\\u000f-\ufffd\/\ufffdi\\u001822\ufffd\ufffd\ufffd\ufffd2k; \u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003:h\\u0014\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\\u0006\u003E\\u0014\u079f\ufffd\\u0006{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffd\\u0010\\u0018Ag{\ufffd\ufffd\\u0016\\u0001}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffd\\u0004J\\u001b,\u016f\\u00009M\ufffd*\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229790190630fd66067275e72641e02943c7b8894f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003:h\\u0014\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\\u0006\u003E\\u0014\u079f\ufffd\\u0006{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffd\\u0010\\u0018Ag{\ufffd\ufffd\\u0016\\u0001}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffd\\u0004J\\u001b,\u016f\\u00009M\ufffd*\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd:h\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\u003E\u079f\ufffd{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffdAg{\ufffd\ufffd}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffdJ,\u016f9M\ufffd*\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003:h\\u0014\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\\u0006\u003E\\u0014\u079f\ufffd\\u0006{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffd\\u0010\\u0018Ag{\ufffd\ufffd\\u0016\\u0001}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffd\\u0004J\\u001b,\u016f\\u00009M\ufffd*\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd:h\ufffd\u042c\u0d5f\ufffd\ufffd\ufffdS\ufffd\ufffd}\u003E\u079f\ufffd{\u0621\/ZR\ufffd\ufffd\ufffd J\ufffdAg{\ufffd\ufffd}\ufffd\u0027\ufffd2\\nl\ufffd*\ufffdJ,\u016f9M\ufffd*\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899287,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":43996,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.900701639584577, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00222d8b7e0cc1e2a3f5b92897530f8fe097\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003E\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\\u0007\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdF\\u0012\\u000fw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003E\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\\u0007\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdF\\u0012\\u000fw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u000e\ufffd)\ufffd\ufffd\ufffdl\ufffd2\ufffdz\u03cb%\ufffd+\ufffd\ufffdN\\\u0022Di\ufffd\\u0003|\\r\u00260\ufffd,\\u0014j\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003E\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\\u0007\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdF\\u0012\\u000fw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226ebbefb5adb0bff50c96ef3570e3e6202eb0a037\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003E\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\\u0007\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdF\\u0012\\u000fw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdFw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003E\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\\u0007\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdF\\u0012\\u000fw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd2A\ufffd\ufffdkx\ufffd\ufffdF\ufffdu\ufffd\u0026\ufffd\ufffd\ufffd\ufffd\ufffdCCD\ufffdv\ufffd\ufffd4 \ufffdi\ufffd\ufffd\ufffdMI\u003E\ufffdFw3\ufffde\ufffd(lY\ufffd\ufffdE\ufffdv\ufffdG%;\ufffd$\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899288,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44006,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.906793803598459, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022c7ac66a8883610a326e210416fe93e8b\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0010\\nUUP\ufffd\\u0012j*\u022brpF\ufffd\ufffdq\\u0004\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd\\u0006{\ufffd;\ufffdZ\u0026\\u0012#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0010\\nUUP\ufffd\\u0012j*\u022brpF\ufffd\ufffdq\\u0004\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd\\u0006{\ufffd;\ufffdZ\u0026\\u0012#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 }=\ufffdJ\ufffd\ufffdnw\ufffd\u0565(\ufffd\ufffd9:lC\ufffd\ufffda\ufffd\ufffd\ufffd\ufffdJ\ufffd\\u0018\ufffd:2D\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0010\\nUUP\ufffd\\u0012j*\u022brpF\ufffd\ufffdq\\u0004\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd\\u0006{\ufffd;\ufffdZ\u0026\\u0012#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002231389c1bf2df7893dfd10b9a534ec8747e23d449\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0010\\nUUP\ufffd\\u0012j*\u022brpF\ufffd\ufffdq\\u0004\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd\\u0006{\ufffd;\ufffdZ\u0026\\u0012#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\nUUP\ufffdj*\u022brpF\ufffd\ufffdq\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd{\ufffd;\ufffdZ\u0026#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0010\\nUUP\ufffd\\u0012j*\u022brpF\ufffd\ufffdq\\u0004\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd\\u0006{\ufffd;\ufffdZ\u0026\\u0012#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\nUUP\ufffdj*\u022brpF\ufffd\ufffdq\ufffdD?\ufffdY\ufffd\ufffd=\ufffd\ufffd|\ufffd \u0635\ufffd\ufffd~\ufffd\ufffd{\ufffd;\ufffdZ\u0026#\ufffd\ufffdLO\ufffdc`d\ufffd\ufffd\ufffd9\\tC\ufffd7\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899289,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44018,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.814649809836576, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00222e2d18ea4b0ab31a30c20d3e755706e1\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u1c55\ufffd\ufffd\\b\ufffd\ufffd=\ufffd\\u0001LF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\\u0001\ufffdI\ufffd\ufffd]#\\u0017\ufffd \\u0000\\u001a\\u001d\u0026\ufffd6\ufffd\\u001e\\\\\u003E\\u0007\\u001c\u0027u\\u0005\ufffd\ufffd \ufffd\u02a9!\ufffd\\u001b\ufffd\ufffdxCj\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u1c55\ufffd\ufffd\\b\ufffd\ufffd=\ufffd\\u0001LF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\\u0001\ufffdI\ufffd\ufffd]#\\u0017\ufffd \\u0000\\u001a\\u001d\u0026\ufffd6\ufffd\\u001e\\\\\u003E\\u0007\\u001c\u0027u\\u0005\ufffd\ufffd \ufffd\u02a9!\ufffd\\u001b\ufffd\ufffdxCj\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 =\u0788\ufffdJ\ufffd}\ufffd\ufffdt\\\u0022*9\ufffd\\u0013Vi[\ufffdt\ufffd^\\u000b1\ufffd\ufffd\ufffd\\u0001\ufffd{\ufffd^\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u1c55\ufffd\ufffd\\b\ufffd\ufffd=\ufffd\\u0001LF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\\u0001\ufffdI\ufffd\ufffd]#\\u0017\ufffd \\u0000\\u001a\\u001d\u0026\ufffd6\ufffd\\u001e\\\\\u003E\\u0007\\u001c\u0027u\\u0005\ufffd\ufffd \ufffd\u02a9!\ufffd\\u001b\ufffd\ufffdxCj\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222847d3f1dd0995eb158184249d732d534242304a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u1c55\ufffd\ufffd\\b\ufffd\ufffd=\ufffd\\u0001LF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\\u0001\ufffdI\ufffd\ufffd]#\\u0017\ufffd \\u0000\\u001a\\u001d\u0026\ufffd6\ufffd\\u001e\\\\\u003E\\u0007\\u001c\u0027u\\u0005\ufffd\ufffd \ufffd\u02a9!\ufffd\\u001b\ufffd\ufffdxCj\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u1c55\ufffd\ufffd\ufffd\ufffd=\ufffdLF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\ufffdI\ufffd\ufffd]#\ufffd \u0026\ufffd6\ufffd\\\\\u003E\u0027u\ufffd\ufffd \ufffd\u02a9!\ufffd\ufffd\ufffdxCj\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u1c55\ufffd\ufffd\\b\ufffd\ufffd=\ufffd\\u0001LF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\\u0001\ufffdI\ufffd\ufffd]#\\u0017\ufffd \\u0000\\u001a\\u001d\u0026\ufffd6\ufffd\\u001e\\\\\u003E\\u0007\\u001c\u0027u\\u0005\ufffd\ufffd \ufffd\u02a9!\ufffd\\u001b\ufffd\ufffdxCj\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u1c55\ufffd\ufffd\ufffd\ufffd=\ufffdLF|{\u037f\ufffd\ufffd\ufffdiv\ufffd\ufffdI\ufffd\ufffd]#\ufffd \u0026\ufffd6\ufffd\\\\\u003E\u0027u\ufffd\ufffd \ufffd\u02a9!\ufffd\ufffd\ufffdxCj\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899290,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44028,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.760309546016277, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002268a064f735592f24c2dfc967b181f0e0\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003^{\ufffdm\ufffd\ufffd\\u001b#+\ufffd\\u0007y\ufffd\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \\b\u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\\u0006\ufffd\\u001b\ufffd\\u001b\ufffdHy\ufffdD\\u0001\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003^{\ufffdm\ufffd\ufffd\\u001b#+\ufffd\\u0007y\ufffd\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \\b\u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\\u0006\ufffd\\u001b\ufffd\\u001b\ufffdHy\ufffdD\\u0001\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 [\ufffd\ufffd\\u0000\ufffd!I\u0027\ufffd\ufffd\\u0003\ufffd\\u0003\ufffdx\\n\\u0011\ufffd\\u001b\ufffd\ufffd\\u0006\ufffd\ufffd[\ufffdh\\n\\u0015\ufffd\\u0017\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003^{\ufffdm\ufffd\ufffd\\u001b#+\ufffd\\u0007y\ufffd\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \\b\u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\\u0006\ufffd\\u001b\ufffd\\u001b\ufffdHy\ufffdD\\u0001\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228bc22269d14e926199989962c3ef8d94b0e9b507\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003^{\ufffdm\ufffd\ufffd\\u001b#+\ufffd\\u0007y\ufffd\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \\b\u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\\u0006\ufffd\\u001b\ufffd\\u001b\ufffdHy\ufffdD\\u0001\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd^{\ufffdm\ufffd\ufffd#+\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\ufffd\ufffd\ufffdHy\ufffdD\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003^{\ufffdm\ufffd\ufffd\\u001b#+\ufffd\\u0007y\ufffd\ufffd\\u0015\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \\b\u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\\u0006\ufffd\\u001b\ufffd\\u001b\ufffdHy\ufffdD\\u0001\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd^{\ufffdm\ufffd\ufffd#+\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\u01d5\ufffd\ufffdGX\ufffd\u0322\ufffd\ufffd \u0026\u003E\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\u003C\ufffd.\ufffd\ufffd@\ufffd\ufffd*\ufffd\ufffd\ufffdHy\ufffdD\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899291,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44036,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.833464149057329, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002241ee78d2635583302906620f50396d31\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002l\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\\u0012\uf09cp\\u001d\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\\u001c\ufffd\\bj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002l\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\\u0012\uf09cp\\u001d\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\\u001c\ufffd\\bj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 4\u03c0\ufffdb\\u0007\ufffd\ufffd\ufffd\\u0011\\u0005\ufffdW\\u001f}4\ufffd\ufffd\ufffd\ufffd7\ufffd4\u0727Isk\u003E\ufffd\ufffd\\u0006\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002l\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\\u0012\uf09cp\\u001d\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\\u001c\ufffd\\bj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c40e2d8bbda73e09a86867d4a1f4bd79bfc0c2b7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002l\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\\u0012\uf09cp\\u001d\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\\u001c\ufffd\\bj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdl\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\uf09cp\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\ufffdj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002l\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\\u0012\uf09cp\\u001d\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\\u001c\ufffd\\bj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdl\ufffd\ufffd\ufffdg\ufffdLV\ufffd\ufffd\uf09cp\ufffdM\u0571\ufffdj\ufffd\\tBm \ufffd\ufffd\ufffd U\ufffdCs;\ufffd\\\u0022\u06f3m\ufffd\ufffd3\ufffd\ufffd:\ufffdB\ufffdj\ufffd\/\ufffd\ufffd\u003C\ufffd\ufffd\u0026\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899292,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44040,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.816952633597115, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022beb882e7ff47155ba4909807fc3992ac\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002ip\\b}T\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk\\u001d%5\ufffdf\ufffd\ufffd\ufffd\\t\\u001dt\ufffd\ufffdL\ufffd\ufffd3\\b{\\u0012\ufffd\ufffd~\\t\ufffdO\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002ip\\b}T\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk\\u001d%5\ufffdf\ufffd\ufffd\ufffd\\t\\u001dt\ufffd\ufffdL\ufffd\ufffd3\\b{\\u0012\ufffd\ufffd~\\t\ufffdO\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdXl\/v\ufffd\ufffd\\u000b\ufffd\ufffd\ufffd\\r\ufffdvZ]\ufffd\ufffd\ufffd\ufffd\ufffd\u06e4\ufffd\\u0003ke\ufffd\u02e3p|\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002ip\\b}T\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk\\u001d%5\ufffdf\ufffd\ufffd\ufffd\\t\\u001dt\ufffd\ufffdL\ufffd\ufffd3\\b{\\u0012\ufffd\ufffd~\\t\ufffdO\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f23ab94e7a6309a18fe4034edf31ead314d4a610\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002ip\\b}T\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk\\u001d%5\ufffdf\ufffd\ufffd\ufffd\\t\\u001dt\ufffd\ufffdL\ufffd\ufffd3\\b{\\u0012\ufffd\ufffd~\\t\ufffdO\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdip}T\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk%5\ufffdf\ufffd\ufffd\ufffd\\tt\ufffd\ufffdL\ufffd\ufffd3{\ufffd\ufffd~\\t\ufffdO\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0002ip\\b}T\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk\\u001d%5\ufffdf\ufffd\ufffd\ufffd\\t\\u001dt\ufffd\ufffdL\ufffd\ufffd3\\b{\\u0012\ufffd\ufffd~\\t\ufffdO\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdip}T\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-A,OZA\ufffd\ufffd\ufffdV\ufffd# W~\ufffdjk%5\ufffdf\ufffd\ufffd\ufffd\\tt\ufffd\ufffdL\ufffd\ufffd3{\ufffd\ufffd~\\t\ufffdO\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899293,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44054,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.791515063078402, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u002223a5786bf7c6846fc4f1c2d482451e88\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\u04a0\ufffd\ufffdp\\u0007\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\\u000b\ufffd\ua82b\\\u0022.\\u0018\ufffdG\ufffdz$= R\ufffdq\ufffd\\u0017\\u0018.\ufffdQ\ufffd \\b\ufffdq\ufffd2\ufffd|g\\u0013\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd\\b9\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\u04a0\ufffd\ufffdp\\u0007\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\\u000b\ufffd\ua82b\\\u0022.\\u0018\ufffdG\ufffdz$= R\ufffdq\ufffd\\u0017\\u0018.\ufffdQ\ufffd \\b\ufffdq\ufffd2\ufffd|g\\u0013\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd\\b9\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 Mg\ufffd\ufffd6\ufffd\ufffd-\ufffdw\\u0010\ufffde\ufffdS\\\u0022\u0026\ufffd\u0537\u010dN\ufffdBG\ufffdr\ufffd\ufffd\\u0014\\u0013\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\u04a0\ufffd\ufffdp\\u0007\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\\u000b\ufffd\ua82b\\\u0022.\\u0018\ufffdG\ufffdz$= R\ufffdq\ufffd\\u0017\\u0018.\ufffdQ\ufffd \\b\ufffdq\ufffd2\ufffd|g\\u0013\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd\\b9\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b6d508bf4c44d54b4ad5cfd8d12a2474638604b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\u04a0\ufffd\ufffdp\\u0007\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\\u000b\ufffd\ua82b\\\u0022.\\u0018\ufffdG\ufffdz$= R\ufffdq\ufffd\\u0017\\u0018.\ufffdQ\ufffd \\b\ufffdq\ufffd2\ufffd|g\\u0013\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd\\b9\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd@\u04a0\ufffd\ufffdp\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\ufffd\ua82b\\\u0022.\ufffdG\ufffdz$= R\ufffdq\ufffd.\ufffdQ\ufffd \ufffdq\ufffd2\ufffd|g\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd9\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\u04a0\ufffd\ufffdp\\u0007\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\\u000b\ufffd\ua82b\\\u0022.\\u0018\ufffdG\ufffdz$= R\ufffdq\ufffd\\u0017\\u0018.\ufffdQ\ufffd \\b\ufffdq\ufffd2\ufffd|g\\u0013\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd\\b9\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd@\u04a0\ufffd\ufffdp\ufffd\/\ufffdL@\ufffd!\ufffd\ufffd\ufffdk\ufffd\ua82b\\\u0022.\ufffdG\ufffdz$= R\ufffdq\ufffd.\ufffdQ\ufffd \ufffdq\ufffd2\ufffd|g\u0026\ufffd\ufffd3\ufffdR\ufffd\ufffd\ufffd9\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899294,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44060,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.748899652398411, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022aa661029d489f87c222520360fd067ee\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u000301x3\ufffd\\u001c\ufffd$\\u001a\ufffd\\t\ufffdq\\u000f\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd9\\u00109\ufffd\ufffd \ufffd\\u0013\\u0002,l\ufffd+}N\ufffd\\rk6\\u0018\u0502k\\u0019s\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\\u001e\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u000301x3\ufffd\\u001c\ufffd$\\u001a\ufffd\\t\ufffdq\\u000f\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd9\\u00109\ufffd\ufffd \ufffd\\u0013\\u0002,l\ufffd+}N\ufffd\\rk6\\u0018\u0502k\\u0019s\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\\u001e\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\tR\ufffd:\\u0003\ufffd\ufffd\\r\ufffd\ufffd\\u0005\ufffd\ufffdN\ufffd\\u000biqc\ufffd1\ufffd\\u0006\ufffd\ufffd5\u0346\\bx\ufffdf\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u000301x3\ufffd\\u001c\ufffd$\\u001a\ufffd\\t\ufffdq\\u000f\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd9\\u00109\ufffd\ufffd \ufffd\\u0013\\u0002,l\ufffd+}N\ufffd\\rk6\\u0018\u0502k\\u0019s\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\\u001e\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002278af6a389b27263f6cec44e14eb7f472f3b4f3eb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u000301x3\ufffd\\u001c\ufffd$\\u001a\ufffd\\t\ufffdq\\u000f\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd9\\u00109\ufffd\ufffd \ufffd\\u0013\\u0002,l\ufffd+}N\ufffd\\rk6\\u0018\u0502k\\u0019s\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\\u001e\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd01x3\ufffd\ufffd$\ufffd\\t\ufffdq\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd99\ufffd\ufffd \ufffd,l\ufffd+}N\ufffd\\rk6\u0502ks\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u000301x3\ufffd\\u001c\ufffd$\\u001a\ufffd\\t\ufffdq\\u000f\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd9\\u00109\ufffd\ufffd \ufffd\\u0013\\u0002,l\ufffd+}N\ufffd\\rk6\\u0018\u0502k\\u0019s\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\\u001e\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd01x3\ufffd\ufffd$\ufffd\\t\ufffdq\ufffd9\ufffdS\u003C|]\ufffd\ufffd\ufffdO\ufffd99\ufffd\ufffd \ufffd,l\ufffd+}N\ufffd\\rk6\u0502ks\u0026\ufffday\ufffd\ufffda\ufffdd\ufffdO\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899295,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44076,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.8088527981114275, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022b1bb6eef3dfd69e73486cfc5503910f2\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdr\ufffd\ufffd\u062bV\/\ufffdu\\u0001_`\ufffd[U\ufffd\\u0000\\u0017m\ufffd\ufffd\ufffdr\ufffdc\ufffd@\\u001cQU\ufffd @\ufffd\ufffd\ufffdgv\\u0005iE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdr\ufffd\ufffd\u062bV\/\ufffdu\\u0001_`\ufffd[U\ufffd\\u0000\\u0017m\ufffd\ufffd\ufffdr\ufffdc\ufffd@\\u001cQU\ufffd @\ufffd\ufffd\ufffdgv\\u0005iE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 )\ufffd\ufffd\ufffd\\u0001;j1W$\ufffd\ufffd^\ufffd\\u001f\ufffd\\u0000\ufffd\\rj,\ufffdh\ufffd?\ufffd\ufffdJ\ufffd\ufffd\\u0012\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdr\ufffd\ufffd\u062bV\/\ufffdu\\u0001_`\ufffd[U\ufffd\\u0000\\u0017m\ufffd\ufffd\ufffdr\ufffdc\ufffd@\\u001cQU\ufffd @\ufffd\ufffd\ufffdgv\\u0005iE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223af99d4d644bbd2eec3fe9b4d4f49c20bab624c3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdr\ufffd\ufffd\u062bV\/\ufffdu\\u0001_`\ufffd[U\ufffd\\u0000\\u0017m\ufffd\ufffd\ufffdr\ufffdc\ufffd@\\u001cQU\ufffd @\ufffd\ufffd\ufffdgv\\u0005iE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdr\ufffd\ufffd\u062bV\/\ufffdu_`\ufffd[U\ufffdm\ufffd\ufffd\ufffdr\ufffdc\ufffd@QU\ufffd @\ufffd\ufffd\ufffdgviE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdr\ufffd\ufffd\u062bV\/\ufffdu\\u0001_`\ufffd[U\ufffd\\u0000\\u0017m\ufffd\ufffd\ufffdr\ufffdc\ufffd@\\u001cQU\ufffd @\ufffd\ufffd\ufffdgv\\u0005iE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdr\ufffd\ufffd\u062bV\/\ufffdu_`\ufffd[U\ufffdm\ufffd\ufffd\ufffdr\ufffdc\ufffd@QU\ufffd @\ufffd\ufffd\ufffdgviE\ufffdl\ufffd6^\ufffd\u01836A\ufffd\u0573\u00b5\ufffddzL\ufffd\ufffd) \u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899296,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44078,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.810296032063048, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022ba67da4a0873a704f26ea1168ac832af\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u00004\\u0005P\ufffd~\\u0003E\\u0017\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd\\u0005%\ufffd2\\u0002\ufffd\ufffd\ufffd?d\\u001a\ufffd\ufffd\ufffd],\ufffd\\u0017\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u00004\\u0005P\ufffd~\\u0003E\\u0017\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd\\u0005%\ufffd2\\u0002\ufffd\ufffd\ufffd?d\\u001a\ufffd\ufffd\ufffd],\ufffd\\u0017\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \/\ufffd\ufffd\ufffd\\u0007V\ufffd\ufffdF\ufffd\ufffd)2\\u0004\ufffd\ufffdk!`\ufffd,X\ufffdT\ufffd\\u0017e\u0d74k\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u00004\\u0005P\ufffd~\\u0003E\\u0017\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd\\u0005%\ufffd2\\u0002\ufffd\ufffd\ufffd?d\\u001a\ufffd\ufffd\ufffd],\ufffd\\u0017\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f910a7d41f4fe1cb8d344ec3e4fd74e368f74f5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u00004\\u0005P\ufffd~\\u0003E\\u0017\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd\\u0005%\ufffd2\\u0002\ufffd\ufffd\ufffd?d\\u001a\ufffd\ufffd\ufffd],\ufffd\\u0017\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4P\ufffd~E\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd%\ufffd2\ufffd\ufffd\ufffd?d\ufffd\ufffd\ufffd],\ufffd\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u00004\\u0005P\ufffd~\\u0003E\\u0017\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd\\u0005%\ufffd2\\u0002\ufffd\ufffd\ufffd?d\\u001a\ufffd\ufffd\ufffd],\ufffd\\u0017\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd4P\ufffd~E\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd5];_\ufffdv\ufffd\ufffd ~\ufffd\ufffd%\ufffd2\ufffd\ufffd\ufffd?d\ufffd\ufffd\ufffd],\ufffd\ufffd=\ufffdd\ufffd!)\\\\\ufffdXg\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899297,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44080,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.878627276753862, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00226dda92388156c1a489e1be52f8937870\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\\u001d\ufffdk\ufffd#\ufffd\\u0017 \ufffd\ufffdB\ufffd\\u0016$\\u0015\ufffdC\ufffd\ufffd=;\ufffd\\u0007\ufffd\ufffd\ufffd\ufffd\\u000f\\u0019\ufffd\\u0005\ufffdK\ufffd\ufffdJ1\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\\u001d\ufffdk\ufffd#\ufffd\\u0017 \ufffd\ufffdB\ufffd\\u0016$\\u0015\ufffdC\ufffd\ufffd=;\ufffd\\u0007\ufffd\ufffd\ufffd\ufffd\\u000f\\u0019\ufffd\\u0005\ufffdK\ufffd\ufffdJ1\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 p\ufffd\\u0010\\u001b\ufffd\\u0012dr\ufffd4\\u0015\ufffd\\u0004v\\u001eY\ufffdVW\ufffd\ufffd\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffd\ufffdxy\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\\u001d\ufffdk\ufffd#\ufffd\\u0017 \ufffd\ufffdB\ufffd\\u0016$\\u0015\ufffdC\ufffd\ufffd=;\ufffd\\u0007\ufffd\ufffd\ufffd\ufffd\\u000f\\u0019\ufffd\\u0005\ufffdK\ufffd\ufffdJ1\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022be6ef8a3e4f95721e53ed99eeecb5ef44fbc07f7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\\u001d\ufffdk\ufffd#\ufffd\\u0017 \ufffd\ufffdB\ufffd\\u0016$\\u0015\ufffdC\ufffd\ufffd=;\ufffd\\u0007\ufffd\ufffd\ufffd\ufffd\\u000f\\u0019\ufffd\\u0005\ufffdK\ufffd\ufffdJ1\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\ufffdk\ufffd#\ufffd \ufffd\ufffdB\ufffd$\ufffdC\ufffd\ufffd=;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdJ1\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\\u001d\ufffdk\ufffd#\ufffd\\u0017 \ufffd\ufffdB\ufffd\\u0016$\\u0015\ufffdC\ufffd\ufffd=;\ufffd\\u0007\ufffd\ufffd\ufffd\ufffd\\u000f\\u0019\ufffd\\u0005\ufffdK\ufffd\ufffdJ1\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0720\ufffd\ufffdK|\ufffd\u2ad1\u00b5R\ufffd\ufffdT2\ufffd\\t\ufffd\ufffdWA\ufffd\ufffdk\ufffd#\ufffd \ufffd\ufffdB\ufffd$\ufffdC\ufffd\ufffd=;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffdJ1\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899298,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44088,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.745605369274976, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00229d06dba3d6292e4853e1e81c3f0bfc9e\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003W\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0002_\ufffd_:\ufffd\\t\ufffd\\u0007\ufffd\\b(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \\u0006\ufffd\\u0001\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\\b\ufffd\\u001d\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffd\\u0004\\u0007b\ufffdA\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003W\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0002_\ufffd_:\ufffd\\t\ufffd\\u0007\ufffd\\b(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \\u0006\ufffd\\u0001\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\\b\ufffd\\u001d\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffd\\u0004\\u0007b\ufffdA\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 }\ufffd\\u0002\ufffd\ufffdC\\u0013z\ufffd\ufffdW\ufffdT\ufffd\\u0000m@\ufffdI\u06fc2H\u003C\\u001c_\ufffdd%Y\ufffde\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003W\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0002_\ufffd_:\ufffd\\t\ufffd\\u0007\ufffd\\b(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \\u0006\ufffd\\u0001\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\\b\ufffd\\u001d\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffd\\u0004\\u0007b\ufffdA\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c46683ecb8b865516e7eba309a36c40fceb74486\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003W\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0002_\ufffd_:\ufffd\\t\ufffd\\u0007\ufffd\\b(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \\u0006\ufffd\\u0001\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\\b\ufffd\\u001d\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffd\\u0004\\u0007b\ufffdA\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdW\ufffd\ufffd\ufffd@\ufffd\ufffd_\ufffd_:\ufffd\\t\ufffd\ufffd(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \ufffd\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\ufffd\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffdb\ufffdA\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003W\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0002_\ufffd_:\ufffd\\t\ufffd\\u0007\ufffd\\b(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \\u0006\ufffd\\u0001\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\\b\ufffd\\u001d\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffd\\u0004\\u0007b\ufffdA\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdW\ufffd\ufffd\ufffd@\ufffd\ufffd_\ufffd_:\ufffd\\t\ufffd\ufffd(\\\\\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\u0681\ufffd\ufffd \ufffd\ue00e\ufffd\ufffd\ufffd\ufffd%\ufffd#\ufffd\ufffd\ufffd\u0688\\\u0022y.\ufffd\ufffd\ufffdb\ufffdA\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899299,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44098,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.920425918800479, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022fab45cbbda43e9a587bbe78dce7a7c60\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681\\u0010^ns\ufffd\ufffd\ufffd\\u0011N$\ufffd \ufffd\\u0003\\u000f#\ufffd\\u001e\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\\u0003\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681\\u0010^ns\ufffd\ufffd\ufffd\\u0011N$\ufffd \ufffd\\u0003\\u000f#\ufffd\\u001e\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\\u0003\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 %9\ufffd\ufffd\ufffd\u03b9t\u04a5\ufffd\ufffd\ufffd\u0319=\ufffd\ufffd\ufffdT\ufffdm\ufffd\ufffd\u0527\u04f8\\u000b\ufffd\ufffd\\u001d\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681\\u0010^ns\ufffd\ufffd\ufffd\\u0011N$\ufffd \ufffd\\u0003\\u000f#\ufffd\\u001e\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\\u0003\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022230dbbff555c6ea4ef8c42bd62e874196732b8bf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681\\u0010^ns\ufffd\ufffd\ufffd\\u0011N$\ufffd \ufffd\\u0003\\u000f#\ufffd\\u001e\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\\u0003\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681^ns\ufffd\ufffd\ufffdN$\ufffd \ufffd#\ufffd\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681\\u0010^ns\ufffd\ufffd\ufffd\\u0011N$\ufffd \ufffd\\u0003\\u000f#\ufffd\\u001e\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\\u0003\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOT\ufffd\u7335\ufffdh\ud681^ns\ufffd\ufffd\ufffdN$\ufffd \ufffd#\ufffd\ufffd_\ufffd\u0645i\ufffd\\\u0022\ufffd\ufffd\ufffdG,1\\\\0H\ufffd\ufffdzL|\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899300,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44100,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.903635278484803, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022e78fab0f48ece8886cd8733712888c2f\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\\u001c\ufffd\ufffd!%\ufffd\ufffd\ufffd\\u001d\ufffdt\ufffd\ufffd8F\ufffd$\\u0015\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\\u0006\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffd\\bcM\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\\u001c\ufffd\ufffd!%\ufffd\ufffd\ufffd\\u001d\ufffdt\ufffd\ufffd8F\ufffd$\\u0015\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\\u0006\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffd\\bcM\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdg\\u0002h\ufffd\ufffd\ufffd\\u0015\ufffdN~\ufffd\\u001cq\ufffd\\u0018\ufffd\ufffdL_:f\ufffd\ufffdy\ufffd\ufffd\ufffd\\fh\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\\u001c\ufffd\ufffd!%\ufffd\ufffd\ufffd\\u001d\ufffdt\ufffd\ufffd8F\ufffd$\\u0015\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\\u0006\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffd\\bcM\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255878e075f0a8d9f3df71a8452c88b7a4c55ec15\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\\u001c\ufffd\ufffd!%\ufffd\ufffd\ufffd\\u001d\ufffdt\ufffd\ufffd8F\ufffd$\\u0015\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\\u0006\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffd\\bcM\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\ufffd\ufffd!%\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd8F\ufffd$\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffdcM\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\\u001c\ufffd\ufffd!%\ufffd\ufffd\ufffd\\u001d\ufffdt\ufffd\ufffd8F\ufffd$\\u0015\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\\u0006\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffd\\bcM\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\\t\ufffd\ufffdi]9\ufffd5\ufffd\ufffd!%\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd8F\ufffd$\ufffd\ufffd\ufffd 3\ufffd:\ufffd\ufffd\ufffd25\u07bd`D?\ufffd}7\ufffd\ufffd\ufffdy\u070e\ufffd{L.\ufffdcM\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899301,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44104,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.861183466203588, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022d301712b1c653c8050df299146083ab7\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\\f\ufffdyf\ufffd~\ufffd\ufffdcX\\u0006!\ufffd\ufffd\ufffduL\ufffd?\ufffd\\u001eL\\\\\ufffd3_i ^X\ufffd\\u000f\ufffd\\u001d\ufffd!O;\ufffd8\\u0003\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\\u0007\\u0017\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\\f\ufffdyf\ufffd~\ufffd\ufffdcX\\u0006!\ufffd\ufffd\ufffduL\ufffd?\ufffd\\u001eL\\\\\ufffd3_i ^X\ufffd\\u000f\ufffd\\u001d\ufffd!O;\ufffd8\\u0003\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\\u0007\\u0017\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 i\ufffd\ufffda\ufffd\ufffdyx\ufffd\\\\\ufffd\ufffd\ufffd\ufffd\\r\ufffd\ufffdR\\u0014+\ufffd\ufffd\ufffd\\t6\ufffd\u01e1\\u001fT\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\\f\ufffdyf\ufffd~\ufffd\ufffdcX\\u0006!\ufffd\ufffd\ufffduL\ufffd?\ufffd\\u001eL\\\\\ufffd3_i ^X\ufffd\\u000f\ufffd\\u001d\ufffd!O;\ufffd8\\u0003\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\\u0007\\u0017\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002288b24330362e3577e2b53c6cecb08e2953f93197\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\\f\ufffdyf\ufffd~\ufffd\ufffdcX\\u0006!\ufffd\ufffd\ufffduL\ufffd?\ufffd\\u001eL\\\\\ufffd3_i ^X\ufffd\\u000f\ufffd\\u001d\ufffd!O;\ufffd8\\u0003\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\\u0007\\u0017\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffdyf\ufffd~\ufffd\ufffdcX!\ufffd\ufffd\ufffduL\ufffd?\ufffdL\\\\\ufffd3_i ^X\ufffd\ufffd\ufffd!O;\ufffd8\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdN\ufffd\\f\ufffdyf\ufffd~\ufffd\ufffdcX\\u0006!\ufffd\ufffd\ufffduL\ufffd?\ufffd\\u001eL\\\\\ufffd3_i ^X\ufffd\\u000f\ufffd\\u001d\ufffd!O;\ufffd8\\u0003\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\\u0007\\u0017\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdN\ufffd\ufffdyf\ufffd~\ufffd\ufffdcX!\ufffd\ufffd\ufffduL\ufffd?\ufffdL\\\\\ufffd3_i ^X\ufffd\ufffd\ufffd!O;\ufffd8\ufffd\ufffd;\ufffd\ufffd\ufffd=\ufffdCI\u077c\/\ufffdUfG\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899302,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44118,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.805793948002563, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00229ddc6a8fba9b1c795688f65e8709882e\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd\\u0013#\ufffd\/\\u000e\ufffd\ufffd\\u000b\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\\b\\u0002\\u0019\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd\\u0013#\ufffd\/\\u000e\ufffd\ufffd\\u000b\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\\b\\u0002\\u0019\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdAi\ufffd\\u0012\ufffdr\ufffd\\u001e{\ufffd@\ufffd\u0448\\u0019.\ufffdA[\ufffdm\ufffd\u0301\ufffd\ufffdUA\ufffd)\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd\\u0013#\ufffd\/\\u000e\ufffd\ufffd\\u000b\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\\b\\u0002\\u0019\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002285eb3ef023c7c0b58e6cc0b4cd4f153ac703563c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd\\u0013#\ufffd\/\\u000e\ufffd\ufffd\\u000b\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\\b\\u0002\\u0019\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd#\ufffd\/\ufffd\ufffd\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd\\u0013#\ufffd\/\\u000e\ufffd\ufffd\\u000b\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\\b\\u0002\\u0019\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdh%\ufffd\ufffdn$\ufffd\ufffdH\ufffd\u0709\ufffd#\ufffd\/\ufffd\ufffd\ufffdOi#\ufffd\u07162 (\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd~\u0027\ufffd_\ufffd\ufffd\ufffdz\ufffdO\ufffdQNu\ufffd\ufffd\\r\ufffd~\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899303,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44126,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.8427892804659844, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u0022c2d28011b48b298def3fa40eefac9748\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\u0022U\ufffd\ufffd4a\\u0007\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1\\u0003J\ufffd\ufffddt\ufffdH\ufffdsD\\u0011\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffd\\u0010\\u0001x\ufffd\ufffd\u066e_\\u0012r\ufffd\ufffddl\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\u0022U\ufffd\ufffd4a\\u0007\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1\\u0003J\ufffd\ufffddt\ufffdH\ufffdsD\\u0011\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffd\\u0010\\u0001x\ufffd\ufffd\u066e_\\u0012r\ufffd\ufffddl\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 D\\u0012z\\u0006|\ufffd\\u0004q\\u0013\ufffd\\t\\u0016\ufffd\\u001a\ufffd\ufffdmx\ufffdm\ufffd\ufffdrq\ufffd\ufffd`,\u04fa\ufffdB\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\u0022U\ufffd\ufffd4a\\u0007\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1\\u0003J\ufffd\ufffddt\ufffdH\ufffdsD\\u0011\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffd\\u0010\\u0001x\ufffd\ufffd\u066e_\\u0012r\ufffd\ufffddl\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022253febdf02f76137cb97090fec99913c9a171b5a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\u0022U\ufffd\ufffd4a\\u0007\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1\\u0003J\ufffd\ufffddt\ufffdH\ufffdsD\\u0011\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffd\\u0010\\u0001x\ufffd\ufffd\u066e_\\u0012r\ufffd\ufffddl\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\\\u0022U\ufffd\ufffd4a\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1J\ufffd\ufffddt\ufffdH\ufffdsD\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffdx\ufffd\ufffd\u066e_r\ufffd\ufffddl\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\\u0022U\ufffd\ufffd4a\\u0007\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1\\u0003J\ufffd\ufffddt\ufffdH\ufffdsD\\u0011\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffd\\u0010\\u0001x\ufffd\ufffd\u066e_\\u0012r\ufffd\ufffddl\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\\\u0022U\ufffd\ufffd4a\ufffd\ufffd\ufffd2\ufffd\\r\ufffdj\ufffdl=1J\ufffd\ufffddt\ufffdH\ufffdsD\ufffd M\ufffdQ\ufffd_\ufffd%x\ufffd\ufffd\ufffd\ufffdb\ufffdx\ufffd\ufffd\u066e_r\ufffd\ufffddl\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239},{"id":8899304,"ip":"34.180.20.149","ts":"2026-06-14 13:09:08.000000","proto":"tcp","src_port":44130,"dst_port":9008,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 239, \u0022payload_entropy\u0022: 5.90911663440157, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Google LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 396982, \u0022country\u0022: \u0022IN\u0022, \u0022dst_port\u0022: 9008, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220580db003e700b7ec4715749451fa662e20d0adc\u0022, \u0022event_fingerprint\u0022: \u00223e5fdc9a7d9b08f97289d34fc1fc0f30c5d7d9c6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022IN\u0022, \u0022asn\u0022: 396982, \u0022org\u0022: \u0022Google LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022payload_hash\u0022: \u00226e42b47afc04be0f73c730ddeac32d60\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq-x\ufffd\\u001an\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\\u0010\ufffd-\ufffd i\\u001c\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\\u0012\ufffd\ufffdB\ufffd\ufffd\ufffd\\u001d\ufffdp\ufffdt\ufffd\ufffd\ufffd[\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq-x\ufffd\\u001an\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\\u0010\ufffd-\ufffd i\\u001c\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\\u0012\ufffd\ufffdB\ufffd\ufffd\ufffd\\u001d\ufffdp\ufffdt\ufffd\ufffd\ufffd[\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 (\ufffd\\u0012\ufffdJ\u03e3O\u0530D\ufffd\ufffd\ufffd\ufffdZ\ufffd\u43ab\ufffd\ufffd\\\u0022\ufffd\ufffd\ufffd\ufffd\ufffdY\\f\\u0011_\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq-x\ufffd\\u001an\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\\u0010\ufffd-\ufffd i\\u001c\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\\u0012\ufffd\ufffdB\ufffd\ufffd\ufffd\\u001d\ufffdp\ufffdt\ufffd\ufffd\ufffd[\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a3d225a0cadc6753c2168df9482946da5fb4574e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq-x\ufffd\\u001an\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\\u0010\ufffd-\ufffd i\\u001c\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\\u0012\ufffd\ufffdB\ufffd\ufffd\ufffd\\u001d\ufffdp\ufffdt\ufffd\ufffd\ufffd[\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdq-x\ufffdn\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\ufffd-\ufffd i\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdp\ufffdt\ufffd\ufffd\ufffd[\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9008, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdq-x\ufffd\\u001an\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\\u0010\ufffd-\ufffd i\\u001c\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\\u0012\ufffd\ufffdB\ufffd\ufffd\ufffd\\u001d\ufffdp\ufffdt\ufffd\ufffd\ufffd[\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000w\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002219e29534fd49dd27d09234e639c4057e\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 9008, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9008 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdq-x\ufffdn\ufffd\ufffd\ufffdy+\ufffd5lV\ufffdtG_\ufffd\ufffdgMON\ufffdh\ufffd-\ufffd i\ufffd\ufffd\ufffd\ufffd\u05c7!\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffdp\ufffdt\ufffd\ufffd\ufffd[\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\nw\u0022, \u0022target_port_label\u0022: \u00229008 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229008\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"19e29534fd49dd27d09234e639c4057e","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":239}],"total_events":60}