Détails IP 34.180.34.53

Synthèse exécutive

Profil de menace

Score de risque 50/100 Moyen

Première observation 14/06/2026 11:02 UTC

Dernière observation 14/06/2026 11:02 UTC

Événements (période) 60

MITRE ATT&CK principal TA0007 39 occurrences

Activité suspecte — risque 50/100 (Moyen) — MITRE TA0043 — confiance 52 % — via HTTPS

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 52%

Confiance 52 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 34.180.0.0/17 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 60 événements sur la période pour cette IP.

205.210.31.222 Sonde Bitcoin 18/06/2026 04:58 UTC
35.203.211.217 Sonde MongoDB 18/06/2026 04:58 UTC
205.210.31.208 Sonde port 18/06/2026 04:56 UTC
162.216.150.204 Scanner web 18/06/2026 04:53 UTC
198.235.24.39 Sonde port 18/06/2026 04:53 UTC
198.235.24.50 Sonde PostgreSQL 18/06/2026 04:52 UTC
35.241.130.26 Tentative d'exploit 18/06/2026 04:52 UTC
34.156.218.112 dns probe 18/06/2026 04:52 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

205.210.31.222 Sonde Bitcoin
35.203.211.217 Sonde MongoDB
205.210.31.208 Sonde port
162.216.150.204 Scanner web
198.235.24.39 Sonde port

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

60 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 Requête brute (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 252, "payload_entropy": 5.382910031876132, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d6bab9f44b99bc03364935fa21feb62c", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3bbe851656c51a4f54e162689f55418c0a17d09", "protocol_details": { "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build/PPR1.180 Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build/PPR1.180 Requête brute (extrait) GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.0 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: utf Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 304, "payload_entropy": 5.500352370756832, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1efccef14699eeec6e58f772443b366d", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.0 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf", "payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "evidence": { "request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.0 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf", "payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "570a504e21476300282df707e353657919125811", "protocol_details": { "payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965U Build\/PPR1.180", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe Requête brute (extrait) GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 270, "payload_entropy": 5.388548806689986, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cf0728b2910d646c281e7ef9791436c1", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D257 Safari\/9537.53\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "evidence": { "request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D257 Safari\/9537.53\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd857926c961e7d7832f83b0e8bd92c7c1d0aa46", "protocol_details": { "payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWe", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (K Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (K Requête brute (extrait) GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 248, "payload_entropy": 5.3840829025171075, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f3c0e6ba6bf58482085cff765b66faed", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "evidence": { "request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bde188d91fcb193f0f15ee93f26b9fc30cc7f5dd", "protocol_details": { "payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (K", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe net_web_probe redis_config_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.64 (Macintosh; PPC Mac OS X; U; en) Presto/2.1.1 Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.64 (Macintosh; PPC Mac OS X; U; en) Presto/2.1.1 Requête brute (extrait) GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.64 (Macintosh; PPC Mac OS X; U; en) Presto/2.1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 196, "payload_entropy": 5.167751256365301, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 32, "tag_count": 5, "anomaly_count": 0, "campaign_key": "bbceadc06b305802fbad4dfc9a75300c5362c9b3", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 32 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9f178673d125b8cbfdc219ffff05807c", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 32 }, "payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1\r", "request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1", "evidence": { "request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5923df4a31a2c85e96ee2d5be1b668d68bac7ee4", "protocol_details": { "payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.64 (Macintosh; PPC Mac OS X; U; en) Presto\/2.1.1", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/53 Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/53 Requête brute (extrait) GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 256, "payload_entropy": 5.403212206595533, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "079f25019d6d8b9f26869181ae79e866", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "evidence": { "request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e4620940d824a32adf9ab58e483f722ab16ec8f8", "protocol_details": { "payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/53", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) Apple Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) Apple Requête brute (extrait) GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 Slackware/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.41 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 248, "payload_entropy": 5.463481086190029, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11a8525288f9812fc6221e64db14767f", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.41\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "evidence": { "request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.41\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdba69646c320cd992be5fb506b30a0941b5369b", "protocol_details": { "payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 Slackware\/13.37 (X11; U; Linux x86_64; en-US) Apple", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/ Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/ Requête brute (extrait) GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 265, "payload_entropy": 5.404871304428918, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f871e85c95bc3be1de0fb319f1577ed9", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "evidence": { "request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f54b90ed42c9e8c809c3e794b5ca3adec577f22e", "protocol_details": { "payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Sonde Redis redis probe · via HTTPS:9443 · (sonde / probe)	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4. Pourquoi cette classification : Type « redis_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 48 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0600 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4. Requête brute (extrait) GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML/4.8.4 (like Gecko) Konqueror/4.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 227, "payload_entropy": 5.347450399043146, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 48, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0600" ], "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "service_name": "https", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "76ce528c5eae35a73e9c73ccfccff971", "path_pattern_hash": "6e0ba9e225393613123b3c92872287df" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 48 }, "payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "evidence": { "request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.8.4 (like Gecko) Konqueror\/4.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b217bf4c01a01543a2438016a83946645c54a28", "protocol_details": { "payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab redis_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0600" ], "tags_summary_labels_fr": [ "pat-0600" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "redis probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux 3.8-6.dmz.1-liquorix-686) KHTML\/4.", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe net_web_probe redis_config_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Pr Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Faible · 37 Confiance : Confiance 52 % — 5 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Pr Requête brute (extrait) GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 207, "payload_entropy": 5.280648863620644, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "bbceadc06b305802fbad4dfc9a75300c5362c9b3", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dae9cf93ca9f14ca95322b7bb08b123d", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 37 }, "payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "evidence": { "request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Presto\/2.2.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2dcc200a8e2f0345ad7da8c73434d4d35e14df7a", "protocol_details": { "payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 37 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Opera\/9.80 (J2ME\/MIDP; Opera Mini\/5.0.16823\/1428; U; en) Pr", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010 Build/PKQ1.180716 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010 Build/PKQ1.180716 Requête brute (extrait) GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5010 Build/PKQ1.180716.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 416, "payload_entropy": 5.567320836773101, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b6e41fc48aabfa7e16b17c1b47b5d00f", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36", "payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "evidence": { "request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36", "payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55ba6697e32910f3989a6bbb1aa9711be5aadd8b", "protocol_details": { "payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5010 Build\/PKQ1.180716", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; XT1710-02 Build/NDS26.74 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; XT1710-02 Build/NDS26.74 Requête brute (extrait) GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; XT1710-02 Build/NDS26.74-36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 282, "payload_entropy": 5.4535436118886444, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d643a252c74e20cddf461a242741f99c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74-36) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "evidence": { "request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74-36) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7640eb8fa1134f9fbedddb834d47665c576c380d", "protocol_details": { "payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; XT1710-02 Build\/NDS26.74", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 251, "payload_entropy": 5.39054980489855, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d3fbcdb44c84f7d7ff12096aaa1aa113", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aaf466a99e1c73bbd0d6384bc07d3a8cb5ad8cc8", "protocol_details": { "payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en Requête brute (extrait) GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 279, "payload_entropy": 5.3699868023250765, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e454c18cc5cc8e81c06b6e3c4a709b91", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit\/528.18 (KHTML, like Gecko) Version\/4.0 Mobile\/7A341 Safari\/528.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "evidence": { "request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit\/528.18 (KHTML, like Gecko) Version\/4.0 Mobile\/7A341 Safari\/528.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b35fa51a1897b20d3e5c607788b3b5fa11933c25", "protocol_details": { "payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1. Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1. Requête brute (extrait) GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 307, "payload_entropy": 5.5205047602791835, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c3861bdb8697f2b1716955195944f1f7", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: ", "payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "evidence": { "request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: ", "payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13cfc7cf735e2bdf37d5b5f7c9ec54d42bd2c311", "protocol_details": { "payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHT Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 UBrowser/5.6.13705.206 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 270, "payload_entropy": 5.443055520355118, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "356de52a43d3a879932bf38dc1f9031d", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/48.0.2564.116 UBrowser\/5.6.13705.206 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "evidence": { "request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/48.0.2564.116 UBrowser\/5.6.13705.206 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f43f2bba7fd5180e0df1b36ada7b72eab7695c5", "protocol_details": { "payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHT", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF Requête brute (extrait) GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 270, "payload_entropy": 5.425117719352874, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6f808dbfee44d5dce3a27073a9dfc17c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "evidence": { "request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ecbd4d4cd0dd55dba0d673c4e91f18611e0945b", "protocol_details": { "payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Nexus One Build\/FRF", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KH Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KH Requête brute (extrait) GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 255, "payload_entropy": 5.4264019243325015, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7adb82d23cde38244ac5445a37d169a1", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "evidence": { "request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eefc039e0cb2aa91c65704b27a855848ea0ff32c", "protocol_details": { "payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965U) AppleWebKit\/537.36 (KH", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 2, "behavior_priority": 72 }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 252, "payload_entropy": 5.422090484538062, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0341", "pat-0600" ], "matched_pattern_names": [ "ES admin GET", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0341", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ca0030c3884b36d219303f9525fef372", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/57.0.2987.133 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/57.0.2987.133 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a3dd1939c4fdff095a8b437e2af5a5530f70394", "protocol_details": { "payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe Requête brute (extrait) GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.1.0.267 Mobile Safari/534.11+ Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 269, "payload_entropy": 5.40838396597578, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4ec706758306365ae5616dff334d3247", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWebKit\/534.11+ (KHTML, like Gecko) Version\/7.1.0.267 Mobile Safari\/534.11+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "evidence": { "request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWebKit\/534.11+ (KHTML, like Gecko) Version\/7.1.0.267 Mobile Safari\/534.11+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "15c96c4e61bcb895cf828281ca044a4d4893bd7b", "protocol_details": { "payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (BlackBerry; U; BlackBerry 9930; en-US) AppleWe", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:24.0) Gecko/20100101 Fir Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:24.0) Gecko/20100101 Fir Requête brute (extrait) GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:24.0) Gecko/20100101 Firefox/24.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 206, "payload_entropy": 5.313358112330817, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7473de4c93c272d98b058a3797047562", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Firefox\/24.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "evidence": { "request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Firefox\/24.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1146a3177cfe5143d9a480d18da44f615f32759c", "protocol_details": { "payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:24.0) Gecko\/20100101 Fir", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537. Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537. Requête brute (extrait) GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 260, "payload_entropy": 5.409597630223928, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "22617d9911a1093287365876a79158e4", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "evidence": { "request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58d04c7dd213dddfaf1ef0eb3bdadf8486c6ce38", "protocol_details": { "payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/201001 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/201001 Requête brute (extrait) GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 212, "payload_entropy": 5.336949754467164, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7ef4d41e6fbc6d66b70738486945cceb", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "evidence": { "request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/20100101 Firefox\/49.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58104157dd494cdae98fecdf60912d1d9c835e8c", "protocol_details": { "payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko\/201001", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/5 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/5 Requête brute (extrait) GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 257, "payload_entropy": 5.379385127566149, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "666b8482f317358525777137c5bd653e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "evidence": { "request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "594ba88862170e470768826be95bb10bd3fd342e", "protocol_details": { "payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/5", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6 Requête brute (extrait) GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 232, "payload_entropy": 5.359652196445958, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "045b895da37a75ee7718837e7f54e9ab", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko\/20091201 Firefox\/3.5.6 GTB5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "evidence": { "request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko\/20091201 Firefox\/3.5.6 GTB5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "088356bf7c4f73ecabd74868bca66c8de30ac02d", "protocol_details": { "payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port http_get_probe net_web_probe redis_config_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Faible · 37 Confiance : Confiance 52 % — 5 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9 Requête brute (extrait) GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Lynx/2.8.7dev.4 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8d Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 200, "payload_entropy": 5.265381718576707, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "bbceadc06b305802fbad4dfc9a75300c5362c9b3", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8383bb202af888819e06a8405f682cbb", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 37 }, "payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "evidence": { "request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9.8d\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4bdffb6ee7c60f0b9edd728a77611ed9e0768a53", "protocol_details": { "payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 37 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Lynx\/2.8.7dev.4 libwww-FM\/2.14 SSL-MM\/1.4.1 OpenSSL\/0.9", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E Requête brute (extrait) GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany/1.2.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 210, "payload_entropy": 5.314838143012754, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1150dadd1b8c3f500e48c71bd41cb00e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "evidence": { "request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Epiphany\/1.2.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "831775ace77a76e9bfd31d18462c6cb4deca9b34", "protocol_details": { "payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko E", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; bingbot/2.0 http://www.bing.com/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) LFI Double-dot bypass HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; bingbot/2.0 http://www.bing.com/ Requête brute (extrait) GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (compatible; bingbot/2.0 http://www.bing.com/bingbot.htm) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 209, "payload_entropy": 5.140564869810281, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0103", "pat-0600" ], "matched_pattern_names": [ "LFI Double-dot bypass", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0103", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b6c8b009af68882a638262baf138ac9b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/bingbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "evidence": { "request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/bingbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67e9386ca85ff2e1494d3f3e70ef47c2a385698b", "protocol_details": { "payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (compatible; bingbot\/2.0 http:\/\/www.bing.com\/", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko/201008 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko/201008 Requête brute (extrait) GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko/20100815 Minefield/4.0b4pre Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 218, "payload_entropy": 5.3013038346721615, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5e5fbe0e6cd8b560ed8c38b96a28cebf", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/20100815 Minefield\/4.0b4pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "evidence": { "request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/20100815 Minefield\/4.0b4pre\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "727b2d98b20a865bbbf5e69da26f3499e1b29a9f", "protocol_details": { "payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:2.0b4pre) Gecko\/201008", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:57 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0043 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 52% Risque capteur Moyen · 50 Confiance : Confiance 52 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/58.0.3135.107 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.461431330048484, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2247567bf6669d3a2ab39d5e35c36ae84ea78a2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.52, "classification_confidence": 0.52, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "45c6bd8e572e7f57513e6b194e92cfbc", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.98 Safari\/537.36 OPR\/58.0.3135.107\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b39ce7242011efe5c96e2c08432ea064dc8dc11", "protocol_details": { "payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 52 % \u2014 via HTTPS", "confidence_pct": 52, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 50 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 52 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 52 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe", "redis_config_probe", "websphere_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��Κ��{(/=��7�T2��%��ԮRFՌ�.t �\|�13��/ߙ�@��>�ސ�&�f�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��Κ��{(/=��7�T2��%��ԮRFՌ�.t �\|�13��/ߙ�@��>�ސ�&�f�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Κ��{(/=��7�T2��%��ԮRFՌ�.t �\|�13��/ߙ�@��>�ސ�&�f�&�+�/�,�0̨̩� �� /5� w �+3&$ ��z"z��njj�q%��no�}߃�H Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.886305950241798, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e429c7b126600691a02e574d76524fa7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \u0011\ufffd\u0007\u0012\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0011\u0790\ufffd&\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \u0011\ufffd\u0007\u0012\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0011\u0790\ufffd&\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0005\ufffd\ufffdz\"z\ufffd\u0014\ufffd\ufffd\ufffd\u0010njj\ufffdq%\ufffd\ufffd\ufffdn\u000fo\ufffd\u001d}\u07c3\ufffdH\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \u0011\ufffd\u0007\u0012\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0011\u0790\ufffd&\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "49953204fc780133758fe54f658ea148a13943e2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \u0011\ufffd\u0007\u0012\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0011\u0790\ufffd&\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \ufffd\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0790\ufffd&\ufffdf\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \u0011\ufffd\u0007\u0012\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0011\u0790\ufffd&\ufffdf\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\u039a\ufffd\ufffd\ufffd{(\/=\ufffd\ufffd\ufffd7\ufffdT2\ufffd\ufffd\ufffd%\ufffd\ufffd\u052eRF\u054c\ufffd.t \ufffd\|\ufffd13\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\u07d9\ufffd@\ufffd\ufffd>\ufffd\u0790\ufffd&\ufffdf\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��Ů�ϲ]6�w$��tj�77�[�['� �TԿ7�y�"��\|�I''��&�9B7�1&�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��Ů�ϲ]6�w$��tj�77�[�['� �TԿ7�y�"��\|�I''��&�9B7�1&�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ů�ϲ]6�w$��tj�77�[�['� �TԿ7�y�"��\|�I''��&�9B7�1&�&�+�/�,�0̨̩� �� /5� w �+3&$ �%��0�Ȧ&H��p��c^~��+Iu�# Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8606084211619915, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fff93be5f75eed619449705efa62f166", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]\u001b\u001c6\ufffdw$\ufffd\ufffd\ufffd\u0005\ufffdtj\ufffd77\ufffd\u0019[\ufffd['\ufffd \ufffdT\u053f7\ufffd\by\ufffd\u001e\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1\u001c&\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]\u001b\u001c6\ufffdw$\ufffd\ufffd\ufffd\u0005\ufffdtj\ufffd77\ufffd\u0019[\ufffd['\ufffd \ufffdT\u053f7\ufffd\by\ufffd\u001e\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1\u001c&\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd%\ufffd\ufffd\u0018\ufffd0\ufffd\u0226&H\ufffd\ufffdp\ufffd\u000f\u001e\ufffdc^~\ufffd\ufffd\ufffd+Iu\ufffd#", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]\u001b\u001c6\ufffdw$\ufffd\ufffd\ufffd\u0005\ufffdtj\ufffd77\ufffd\u0019[\ufffd['\ufffd \ufffdT\u053f7\ufffd\by\ufffd\u001e\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1\u001c&\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b3be7048aaa5c0103f16cca679e5f6d9a0f298d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]\u001b\u001c6\ufffdw$\ufffd\ufffd\ufffd\u0005\ufffdtj\ufffd77\ufffd\u0019[\ufffd['\ufffd \ufffdT\u053f7\ufffd\by\ufffd\u001e\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1\u001c&\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]6\ufffdw$\ufffd\ufffd\ufffd\ufffdtj\ufffd77\ufffd[\ufffd['\ufffd \ufffdT\u053f7\ufffdy\ufffd\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1&\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]\u001b\u001c6\ufffdw$\ufffd\ufffd\ufffd\u0005\ufffdtj\ufffd77\ufffd\u0019[\ufffd['\ufffd \ufffdT\u053f7\ufffd\by\ufffd\u001e\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1\u001c&\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u016e\ufffd\u03f2]6\ufffdw$\ufffd\ufffd\ufffd\ufffdtj\ufffd77\ufffd[\ufffd['\ufffd \ufffdT\u053f7\ufffdy\ufffd\"\ufffd\ufffd\|\ufffdI''\ufffd\ufffd&\ufffd9B7\ufffd1&\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��)-�}&�L\|Vbm��YL�s��Tն��d[ �f)�O��n��\ ��lJ1'S��X�G�G�V&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��)-�}&�L\|Vbm��YL�s��Tն��d[ �f)�O��n��\ ��lJ1'S��X�G�G�V&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��)-�}&�L\|Vbm��YL�s��Tն��d[ �f)�O��n��\ ��lJ1'S��X�G�G�V&�+�/�,�0̨̩� �� /5� w �+3&$ +�$�(��%d�d<:� �u�bbb�#� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.849875027384575, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3f1a18336a74350cf4a0f57e824c48f9", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)-\ufffd}&\u0011\ufffdL\|\u0001Vbm\ufffd\ufffdYL\u0014\u0015\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd\u001b[ \ufffdf\u0005)\ufffd\u000fO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\u0016\ufffdG\ufffdG\ufffdV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)-\ufffd}&\u0011\ufffdL\|\u0001Vbm\ufffd\ufffdYL\u0014\u0015\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd\u001b[ \ufffdf\u0005)\ufffd\u000fO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\u0016\ufffdG\ufffdG\ufffdV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 +\ufffd$\ufffd(\ufffd\u0004\ufffd\u001e\u0003%\u001cd\ufffdd<:\ufffd\r\ufffdu\ufffdbbb\ufffd\u0014#\ufffd\u000b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)-\ufffd}&\u0011\ufffdL\|\u0001Vbm\ufffd\ufffdYL\u0014\u0015\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd\u001b[ \ufffdf\u0005)\ufffd\u000fO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\u0016\ufffdG\ufffdG\ufffdV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "049af749bd8cf7e3e97bedf1206beb3b058c96d6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)-\ufffd}&\u0011\ufffdL\|\u0001Vbm\ufffd\ufffdYL\u0014\u0015\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd\u001b[ \ufffdf\u0005)\ufffd\u000fO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\u0016\ufffdG\ufffdG\ufffdV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd)-\ufffd}&\ufffdL\|Vbm\ufffd\ufffdYL\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd[ \ufffdf)\ufffdO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\ufffdG\ufffdG\ufffdV&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)-\ufffd}&\u0011\ufffdL\|\u0001Vbm\ufffd\ufffdYL\u0014\u0015\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd\u001b[ \ufffdf\u0005)\ufffd\u000fO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\u0016\ufffdG\ufffdG\ufffdV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd)-\ufffd}&\ufffdL\|Vbm\ufffd\ufffdYL\ufffds\ufffd\ufffdT\u0576\ufffd\ufffdd[ \ufffdf)\ufffdO\ufffd\ufffdn\ufffd\ufffd\\\t\ufffd\ufffd\ufffdlJ1'S\ufffd\ufffdX\ufffdG\ufffdG\ufffdV&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��?кIf�j?r�6B`f�F��!B�T��l�T΁) �q'�G#k�(z} qǩ�.�F˓0Ƃ�q�)�"�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��?кIf�j?r�6B`f�F��!B�T��l�T΁) �q'�G#k�(z} qǩ�.�F˓0Ƃ�q�)�"�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��?кIf�j?r�6B`f�F��!B�T��l�T΁) �q'�G#k�(z} qǩ�.�F˓0Ƃ�q�)�"�&�+�/�,�0̨̩� �� /5� w �+3&$ =l >�,n��eu�+�f�`��Ϝ&29�a׮_ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.894159703143837, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "30593a37bb7bebbf976d33bf80823212", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\u043aIf\ufffdj?r\ufffd6B`f\ufffd\u001aF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u0012\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\u043aIf\ufffdj?r\ufffd6B`f\ufffd\u001aF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u0012\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 =l\b\u000b>\ufffd,n\ufffd\ufffd\ufffd\ufffdeu\ufffd+\ufffdf\ufffd`\ufffd\ufffd\u03dc&29\ufffda\u05ee_", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\u043aIf\ufffdj?r\ufffd6B`f\ufffd\u001aF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u0012\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "69fe76580010f0c7294a83730485976dbbb4ace8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\u043aIf\ufffdj?r\ufffd6B`f\ufffd\u001aF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u0012\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd?\u043aIf\ufffdj?r\ufffd6B`f\ufffdF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\u043aIf\ufffdj?r\ufffd6B`f\ufffd\u001aF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u0012\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd?\u043aIf\ufffdj?r\ufffd6B`f\ufffdF\ufffd\ufffd!B\ufffdT\ufffd\ufffdl\ufffdT\u0381) \ufffdq'\ufffdG#k\ufffd(z}\nq\u01e9\ufffd.\ufffdF\u02d30\u0182\ufffdq\ufffd)\ufffd\"\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��A�(n��π��Vi^U��S�a; ��ϡP ;I��h�c��;{�:- ��_7,�Yr{�^&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��A�(n��π��Vi^U��S�a;��ϡP ;I��h�c��;{�:- ��_7,�Yr{�^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A�(n��π��Vi^U��S�a; ��ϡP ;I��h�c��;{�:- ��_7,�Yr{�^&�+�/�,�0̨̩� �� /5� w �+3&$ +��9��GeP�NA�M�P�(Q�ZA1�M�G�r Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.874597744364799, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b08cf4ac9262bf339341618478250f87", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\u0003\ufffd\ufffdS\ufffda;\f\ufffd\u0013\ufffd\u001c\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\u001c\ufffd\u001dh\ufffdc\u0011\u0002\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd\u001f_7,\ufffdYr{\ufffd\u0016^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\u0003\ufffd\ufffdS\ufffda;\f\ufffd\u0013\ufffd\u001c\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\u001c\ufffd\u001dh\ufffdc\u0011\u0002\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd\u001f_7,\ufffdYr{\ufffd\u0016^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 +\ufffd\ufffd9\ufffd\ufffdGeP\ufffdNA\ufffdM\ufffdP\ufffd(Q\ufffdZ\u001aA1\ufffdM\u001c\ufffdG\ufffdr", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\u0003\ufffd\ufffdS\ufffda;\f\ufffd\u0013\ufffd\u001c\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\u001c\ufffd\u001dh\ufffdc\u0011\u0002\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd\u001f_7,\ufffdYr{\ufffd\u0016^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1fa25b104e34a0ce63f1ddbeae1ca995db66e30a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\u0003\ufffd\ufffdS\ufffda;\f\ufffd\u0013\ufffd\u001c\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\u001c\ufffd\u001dh\ufffdc\u0011\u0002\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd\u001f_7,\ufffdYr{\ufffd\u0016^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffdA\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\ufffd\ufffdS\ufffda;\ufffd\ufffd\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\ufffdh\ufffdc\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd_7,\ufffdYr{\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\u0003\ufffd\ufffdS\ufffda;\f\ufffd\u0013\ufffd\u001c\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\u001c\ufffd\u001dh\ufffdc\u0011\u0002\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd\u001f_7,\ufffdYr{\ufffd\u0016^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdA\ufffd(n\ufffd\ufffd\u03c0\ufffd\ufffdVi^U\ufffd\ufffdS\ufffda;\ufffd\ufffd\ufffd\ufffd\ufffd\u03e1P ;I\ufffd\ufffdh\ufffdc\ufffd\ufffd;{\ufffd:-\t\ufffd\ufffd_7,\ufffdYr{\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��.��{��R�a��n�cU}�t\|�^��W6�` ��y��n��c�̮�[�5��g+'38&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��.��{��R�a��n�cU}�t\|�^��W6�` ��y��n��c�̮�[�5��g+'38&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��.��{��R�a��n�cU}�t\|�^��W6�` ��y��n��c�̮�[�5��g+'38&�+�/�,�0̨̩� �� /5� w �+3&$ 53��,���O�3�W�bt�Z��Tn�!/` Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.776055405518381, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "098c83ed49c7055c7cc13a30ab41ca97", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\u000f\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffd\u001an\u0015\ufffd\ufffd\ufffdc\ufffd\u0003\u032e\ufffd\u0002[\ufffd5\u0005\ufffd\u0019\ufffdg+'38\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\u000f\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffd\u001an\u0015\ufffd\ufffd\ufffdc\ufffd\u0003\u032e\ufffd\u0002[\ufffd5\u0005\ufffd\u0019\ufffdg+'38\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 53\ufffd\ufffd\ufffd\ufffd\u0019\u0018,\ufffd\ufffd\u001b\ufffdO\ufffd3\ufffdW\ufffdbt\ufffdZ\ufffd\ufffdTn\ufffd!\/`", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\u000f\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffd\u001an\u0015\ufffd\ufffd\ufffdc\ufffd\u0003\u032e\ufffd\u0002[\ufffd5\u0005\ufffd\u0019\ufffdg+'38\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de356af1828dc277fa4007179530ca1f328d7613", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\u000f\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffd\u001an\u0015\ufffd\ufffd\ufffdc\ufffd\u0003\u032e\ufffd\u0002[\ufffd5\u0005\ufffd\u0019\ufffdg+'38\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffdc\ufffd\u032e\ufffd[\ufffd5\ufffd\ufffdg+'38&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\u000f\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffd\u001an\u0015\ufffd\ufffd\ufffdc\ufffd\u0003\u032e\ufffd\u0002[\ufffd5\u0005\ufffd\u0019\ufffdg+'38\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd.\ufffd\ufffd{\ufffd\ufffd\ufffdR\ufffda\ufffd\ufffdn\ufffdcU}\ufffdt\|\ufffd^\ufffd\ufffd\ufffdW6\ufffd` \ufffd\ufffdy\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffdc\ufffd\u032e\ufffd[\ufffd5\ufffd\ufffdg+'38&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��0��\k��]H�e��:pp��)"¿�� J��z:h?)�$��'+�~�5T��k̤2��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��0��\k��]H�e��:pp��)"¿�� J��z:h?)�$��'+�~�5T��k̤2��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��0��\k��]H�e��:pp��)"¿�� J��z:h?)�$��'+�~�5T��k̤2��&�+�/�,�0̨̩� �� /5� w �+3&$ ��L��J�x�~~K�Z�=�aL @@:r�: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.785485423116629, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "91a362417452e02e6770eb0e08d0c5b7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\u0000\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\u000f\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\u0002\ufffd5T\ufffd\u001d\ufffdk\u03242\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\u0000\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\u000f\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\u0002\ufffd5T\ufffd\u001d\ufffdk\u03242\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdL\ufffd\ufffd\ufffd\u0016\ufffdJ\ufffdx\ufffd~~\u0001K\ufffdZ\ufffd=\ufffda\u0007L\t@@:r\ufffd\u0007:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\u0000\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\u000f\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\u0002\ufffd5T\ufffd\u001d\ufffdk\u03242\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efa7695b1bd10fc5c2f20ec1a14e16a0edf38fe0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\u0000\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\u000f\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\u0002\ufffd5T\ufffd\u001d\ufffdk\u03242\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\ufffd5T\ufffd\ufffdk\u03242\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\u0000\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\u000f\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\u0002\ufffd5T\ufffd\u001d\ufffdk\u03242\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\ufffd\\k\ufffd\ufffd\ufffd]H\ufffde\ufffd\ufffd:pp\ufffd\ufffd\ufffd\ufffd)\"\u00bf\ufffd\ufffd J\ufffd\ufffd\ufffdz:h?)\ufffd$\ufffd\ufffd\ufffd'+\ufffd~\ufffd5T\ufffd\ufffdk\u03242\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��,jn(㐕bn�X�̘�]H��X43=��B x�ȋ7��aȄut�}�.�wz�� K�d }&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��,jn(㐕bn�X�̘�]H��X43=��B x�ȋ7��aȄut�}�.�wz��K�d }&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��,jn(㐕bn�X�̘�]H��X43=��B x�ȋ7��aȄut�}�.�wz�� K�d }&�+�/�,�0̨̩� �� /5� w �+3&$ I��1�dR��ǘɜ��%5W:N Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.814216387481421, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3ce6a1ae5bd0fcfb2024d9cc17b2de46", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,jn(\u3415bn\ufffdX\u0006\ufffd\u0318\ufffd\u0002]H\ufffd\u0014\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\u0011\ufffd\ufffd\u000b\ufffdK\ufffdd\n}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,jn(\u3415bn\ufffdX\u0006\ufffd\u0318\ufffd\u0002]H\ufffd\u0014\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\u0011\ufffd\ufffd\u000b\ufffdK\ufffdd\n}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 I\u0016\ufffd\ufffd\ufffd\u00011\ufffddR\ufffd\ufffd\ufffd\u01d8\u025c\u0018\ufffd\u001d\ufffd\ufffd\u0006\ufffd\u0003%5W:\u001cN", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,jn(\u3415bn\ufffdX\u0006\ufffd\u0318\ufffd\u0002]H\ufffd\u0014\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\u0011\ufffd\ufffd\u000b\ufffdK\ufffdd\n}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9cbb32dbcdc2373723d49084fe17f920fd7d1f51", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,jn(\u3415bn\ufffdX\u0006\ufffd\u0318\ufffd\u0002]H\ufffd\u0014\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\u0011\ufffd\ufffd\u000b\ufffdK\ufffdd\n}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd,jn(\u3415bn\ufffdX\ufffd\u0318\ufffd]H\ufffd\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\ufffd\ufffd\ufffdK\ufffdd\n}&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,jn(\u3415bn\ufffdX\u0006\ufffd\u0318\ufffd\u0002]H\ufffd\u0014\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\u0011\ufffd\ufffd\u000b\ufffdK\ufffdd\n}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd,jn(\u3415bn\ufffdX\ufffd\u0318\ufffd]H\ufffd\ufffdX43=\ufffd\ufffd\ufffdB x\ufffd\u020b7\ufffd\ufffd\ufffd\ufffda\u0204ut\ufffd}\ufffd.\ufffdwz\ufffd\ufffd\ufffdK\ufffdd\n}&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��n��7F�F��0DhY�4��^�L!}��; V��ȵ/ ��Z�̯c��J��{�Z��=&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��n��7F�F��0DhY�4��^�L!}��; V��ȵ/ ��Z�̯c��J��{�Z��=&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��n��7F�F��0DhY�4��^�L!}��; V��ȵ/ ��Z�̯c��J��{�Z��=&�+�/�,�0̨̩� �� /5� w �+3&$ !"��;\�M��0�\��v�3~:z Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.7575362185863685, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1d4f722b7176b30bfee3ccdd6f69987e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\u0014\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd\u001b4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; \u0012V\ufffd\u0004\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\u0001\ufffdJ\ufffd\u0018\ufffd\ufffd\u0018\u0001{\ufffdZ\ufffd\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\u0014\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd\u001b4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; \u0012V\ufffd\u0004\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\u0001\ufffdJ\ufffd\u0018\ufffd\ufffd\u0018\u0001{\ufffdZ\ufffd\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 !\"\ufffd\ufffd\u0016\ufffd;\\\ufffdM\ufffd\ufffd\u000e\ufffd\ufffd\ufffd0\ufffd\\\ufffd\ufffdv\u0013\ufffd3\u0000\u0005~\u001b\u0000:z", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\u0014\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd\u001b4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; \u0012V\ufffd\u0004\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\u0001\ufffdJ\ufffd\u0018\ufffd\ufffd\u0018\u0001{\ufffdZ\ufffd\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95ad74398c4d1f8e7f55fa1d74053332c69b992a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\u0014\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd\u001b4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; \u0012V\ufffd\u0004\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\u0001\ufffdJ\ufffd\u0018\ufffd\ufffd\u0018\u0001{\ufffdZ\ufffd\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; V\ufffd\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\ufffdJ\ufffd\ufffd\ufffd{\ufffdZ\ufffd\ufffd=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\u0014\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd\u001b4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; \u0012V\ufffd\u0004\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\u0001\ufffdJ\ufffd\u0018\ufffd\ufffd\u0018\u0001{\ufffdZ\ufffd\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd7F\ufffdF\ufffd\ufffd0DhY\ufffd4\ufffd\ufffd^\ufffdL!}\ufffd\ufffd; V\ufffd\ufffd\u0235\/\t\ufffd\ufffdZ\ufffd\u032fc\ufffd\ufffdJ\ufffd\ufffd\ufffd{\ufffdZ\ufffd\ufffd=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��O�r<��_,�A�2�-3o׏�E�I ;�� AHxfr�"�Pvן��R%��~�`�b&�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��O�r<��_,�A�2�-3o׏�E�I ;�� AHxfr�"�Pvן��R%��~�`�b&�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��O�r<��_,�A�2�-3o׏�E�I ;�� AHxfr�"�Pvן��R%��~�`�b&�&�+�/�,�0̨̩� �� /5� w �+3&$ s�Rt#q�N�%&9I~��M�LG'jƜ��C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.868230704552088, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "62a3345ce38636d7c3dd34e0694b54a1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001f\ufffd\u001c\u001d\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_\u0000,\ufffdA\u0016\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffdb&\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001f\ufffd\u001c\u001d\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_\u0000,\ufffdA\u0016\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffdb&\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 s\u0013\ufffd\u0012Rt#q\ufffdN\ufffd%&9I~\ufffd\ufffdM\ufffdLG'j\u019c\u0018\ufffd\ufffd\ufffdC\u001f", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001f\ufffd\u001c\u001d\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_\u0000,\ufffdA\u0016\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffdb&\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c36ca848081c01d1e0c8bcc9f18d45d7e023478b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001f\ufffd\u001c\u001d\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_\u0000,\ufffdA\u0016\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffdb&\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_,\ufffdA\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffdb&\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001f\ufffd\u001c\u001d\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_\u0000,\ufffdA\u0016\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffdb&\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffdr<\ufffd\ufffd\ufffd_,\ufffdA\ufffd2\ufffd-3o\u05cf\ufffdE\ufffdI ;\ufffd\ufffd AHxfr\ufffd\"\ufffdPv\u05df\ufffd\ufffd\ufffdR%\ufffd\ufffd~\ufffd`\ufffd*b&\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��з��qb�Y y�Y�n��F �Bpj�� g��Ȟ��c�1��2�tEr�{�[��x&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��з��qb�Y y�Y�n��F �Bpj�� g��Ȟ��c�1��2�tEr�{�[��x&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��з��qb�Y y�Y�n��F �Bpj�� g��Ȟ��c�1��2�tEr�{�[��x&�+�/�,�0̨̩� �� /5� w �+3&$ =7��B�P JS.A-��T�^�$I��Y��- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.854605568137817, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba81d160c83815920e24ef97d993cb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0437\ufffd\ufffd\ufffdqb\u0005\ufffdY y\ufffdY\ufffdn\ufffd\u001f\ufffd\u0004F\r\ufffdBpj\ufffd\ufffd\b\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffd\u0015c\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\u0018\u0001\ufffd\ufffdx\u0012\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0437\ufffd\ufffd\ufffdqb\u0005\ufffdY y\ufffdY\ufffdn\ufffd\u001f\ufffd\u0004F\r\ufffdBpj\ufffd\ufffd\b\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffd\u0015c\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\u0018\u0001\ufffd\ufffdx\u0012\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 =7\ufffd\ufffdB\ufffd\u001b\u0015P\fJS.A-\ufffd\ufffdT\ufffd^\ufffd$I\ufffd\ufffdY\ufffd\ufffd\ufffd-", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0437\ufffd\ufffd\ufffdqb\u0005\ufffdY y\ufffdY\ufffdn\ufffd\u001f\ufffd\u0004F\r\ufffdBpj\ufffd\ufffd\b\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffd\u0015c\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\u0018\u0001\ufffd\ufffdx\u0012\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c4c3421d21ea9ee0f3430eef85cfdfddd63e3a2e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0437\ufffd\ufffd\ufffdqb\u0005\ufffdY y\ufffdY\ufffdn\ufffd\u001f\ufffd\u0004F\r\ufffdBpj\ufffd\ufffd\b\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffd\u0015c\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\u0018\u0001\ufffd\ufffdx\u0012\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\u0437\ufffd\ufffd\ufffdqb\ufffdY y\ufffdY\ufffdn\ufffd\ufffdF\r\ufffdBpj\ufffd\ufffd\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffdc\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\ufffd\ufffdx&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0437\ufffd\ufffd\ufffdqb\u0005\ufffdY y\ufffdY\ufffdn\ufffd\u001f\ufffd\u0004F\r\ufffdBpj\ufffd\ufffd\b\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffd\u0015c\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\u0018\u0001\ufffd\ufffdx\u0012\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u0437\ufffd\ufffd\ufffdqb\ufffdY y\ufffdY\ufffdn\ufffd\ufffdF\r\ufffdBpj\ufffd\ufffd\ufffd \ufffd\ufffdg\ufffd\ufffd\u021e\ufffd\ufffd\ufffdc\ufffd1\ufffd\ufffd2\ufffdtEr\ufffd{\ufffd[\ufffd\ufffd\ufffdx&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��2��" �o篇d��y لq� Yn��P�" �@J��)�g.]%�0ܶR� yϰ7�.S�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��2��" �o篇d��y لq� Yn��P�" �@J��)�g.]%�0ܶR�yϰ7�.S�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��2��" �o篇d��y لq� Yn��P�" �@J��)�g.]%�0ܶR� yϰ7�.S�&�+�/�,�0̨̩� �� /5� w �+3&$ �^�%� �F��s��fŏ۩�4�<��g�a Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.859851205486015, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d339bc9b9bf386596dcee60b91e4db0a", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\u001e\ufffdy\t\u0644q\ufffd\tYn\u0002\ufffd\ufffdP\ufffd\u0010\" \ufffd@\u0006J\ufffd\ufffd)\ufffdg\u001b.]%\ufffd0\u0736\u0018R\ufffd\u0016\u000b\u000fy\u0016\u03f07\ufffd.S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\u001e\ufffdy\t\u0644q\ufffd\tYn\u0002\ufffd\ufffdP\ufffd\u0010\" \ufffd@\u0006J\ufffd\ufffd)\ufffdg\u001b.]%\ufffd0\u0736\u0018R\ufffd\u0016\u000b\u000fy\u0016\u03f07\ufffd.S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd^\ufffd%\ufffd\t\ufffdF\ufffd\ufffd\ufffd\u0012s\ufffd\ufffd\ufffdf\u014f\u06e9\ufffd4\ufffd<\ufffd\ufffd\ufffdg\ufffda", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\u001e\ufffdy\t\u0644q\ufffd\tYn\u0002\ufffd\ufffdP\ufffd\u0010\" \ufffd@\u0006J\ufffd\ufffd)\ufffdg\u001b.]%\ufffd0\u0736\u0018R\ufffd\u0016\u000b\u000fy\u0016\u03f07\ufffd.S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "20914024d23bb69802feebf879eba3e0327f8170", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\u001e\ufffdy\t\u0644q\ufffd\tYn\u0002\ufffd\ufffdP\ufffd\u0010\" \ufffd@\u0006J\ufffd\ufffd)\ufffdg\u001b.]%\ufffd0\u0736\u0018R\ufffd\u0016\u000b\u000fy\u0016\u03f07\ufffd.S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\ufffdy\t\u0644q\ufffd\tYn\ufffd\ufffdP\ufffd\" \ufffd@J\ufffd\ufffd)\ufffdg.]%\ufffd0\u0736R\ufffdy\u03f07\ufffd.S\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\u001e\ufffdy\t\u0644q\ufffd\tYn\u0002\ufffd\ufffdP\ufffd\u0010\" \ufffd@\u0006J\ufffd\ufffd)\ufffdg\u001b.]%\ufffd0\u0736\u0018R\ufffd\u0016\u000b\u000fy\u0016\u03f07\ufffd.S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffd\"\t\ufffdo\u7bc7d\ufffd\ufffdy\t\u0644q\ufffd\tYn\ufffd\ufffdP\ufffd\" \ufffd@J\ufffd\ufffd)\ufffdg.]%\ufffd0\u0736R\ufffdy\u03f07\ufffd.S\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��l�;��ނ V�E�f�e�f cm�� N ��\R?ϓ(2�0MxQܓt��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��l�;��ނ V�E�f�e�fcm�� N ��\R?ϓ(2�0MxQܓt��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��l�;��ނ V�E�f�e�f cm�� N ��\R?ϓ(2�0MxQܓt��&�+�/�,�0̨̩� �� /5� w �+3&$ {��s9aQ�O%�Rgݛ��P�>}.e �. Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.891544538417383, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3980f3d74987064f8ed6160da92f9709", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdl\ufffd;\u0018\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdf\u000bcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3\u0006(2\u0014\ufffd0MxQ\u0013\u0713t\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdl\ufffd;\u0018\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdf\u000bcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3\u0006(2\u0014\ufffd0MxQ\u0013\u0713t\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 {\ufffd\ufffd\ufffds9\u001caQ\ufffdO\u0006%\ufffdRg\u075b\u0016\ufffd\ufffd\ufffdP\ufffd>}.e\t\ufffd.", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdl\ufffd;\u0018\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdf\u000bcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3\u0006(2\u0014\ufffd0MxQ\u0013\u0713t\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aef88d8008067d3c117f5765509b6ed48fa2ec20", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdl\ufffd;\u0018\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdf\u000bcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3\u0006(2\u0014\ufffd0MxQ\u0013\u0713t\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdl\ufffd;\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdfcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3(2\ufffd0MxQ\u0713t\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdl\ufffd;\u0018\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdf\u000bcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3\u0006(2\u0014\ufffd0MxQ\u0013\u0713t\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdl\ufffd;\ufffd\ufffd\ufffd\u0782 V\ufffdE\ufffdf\ufffde\ufffdfcm\ufffd\ufffd\ufffd N \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\R?\u03d3(2\ufffd0MxQ\u0713t\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��ƹx"�UJ��p)�Q��ԁ��3X�$ 5�`�S�uJ��u� ��:LTjuS<��!�a�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��ƹx"�UJ��p)�Q��ԁ��3X�$ 5�`�S�uJ��u� ��:LTjuS<��!�a�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ƹx"�UJ��p)�Q��ԁ��3X�$ 5�`�S�uJ��u� ��:LTjuS<��!�a�&�+�/�,�0̨̩� �� /5� w �+3&$ S�k��@��2�L5VxAĝz "?�� իo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.855616341862445, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "923b52cb13433681a5c1fcce0b3a6921", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\u000e\u01b9x\"\ufffdUJ\ufffd\u001a\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\u0001\ufffd\u0501\u0017\ufffd\ufffd\ufffd3X\ufffd$ 5\ufffd`\u000f\ufffdS\ufffduJ\ufffd\u001b\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\u000e\u01b9x\"\ufffdUJ\ufffd\u001a\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\u0001\ufffd\u0501\u0017\ufffd\ufffd\ufffd3X\ufffd$ 5\ufffd`\u000f\ufffdS\ufffduJ\ufffd\u001b\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 S\ufffdk\ufffd\ufffd@\ufffd\ufffd2\ufffdL5VxA\u011dz \u001c\u0019\"\u0015\u001f?\ufffd\ufffd \u056bo\b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\u000e\u01b9x\"\ufffdUJ\ufffd\u001a\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\u0001\ufffd\u0501\u0017\ufffd\ufffd\ufffd3X\ufffd$ 5\ufffd`\u000f\ufffdS\ufffduJ\ufffd\u001b\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "11ebcb4e9cefd0fa56b9d9f5cc6e9051b0a44186", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\u000e\u01b9x\"\ufffdUJ\ufffd\u001a\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\u0001\ufffd\u0501\u0017\ufffd\ufffd\ufffd3X\ufffd$ 5\ufffd`\u000f\ufffdS\ufffduJ\ufffd\u001b\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\u01b9x\"\ufffdUJ\ufffd\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\ufffd\u0501\ufffd\ufffd\ufffd3X\ufffd$ 5\ufffd`\ufffdS\ufffduJ\ufffd\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0007\u000e\u01b9x\"\ufffdUJ\ufffd\u001a\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\u0001\ufffd\u0501\u0017\ufffd\ufffd\ufffd3X\ufffd$ 5\ufffd`\u000f\ufffdS\ufffduJ\ufffd\u001b\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u01b9x\"\ufffdUJ\ufffd\ufffdp)\ufffdQ\ufffd\ufffd\ufffd\ufffd\u0501\ufffd\ufffd\ufffd*3X\ufffd$ 5\ufffd`\ufffdS\ufffduJ\ufffd\ufffd\ufffdu\ufffd\t\ufffd\ufffd\ufffd:LTjuS<\ufffd\ufffd!\ufffda\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��F#ڏC�2�3�:~P/4`p��W��[Q{\|x �;C��X#@o>�\�nU�D�6�S��-F&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��F#ڏC�2�3�:~P/4`p��W��[Q{\|x �;C��X#@o>�\�nU�D�6�S��-F&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��F#ڏC�2�3�:~P/4`p��W��[Q{\|x �;C��X#@o>�\�nU�D�6�S��-F&�+�/�,�0̨̩� �� /5� w �+3&$ ��IE�� ?��='��)�NMV��B Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.883001258166479, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f7e865951a6ea0f438df927450f712f2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdF\u001c#\u001e\u068fC\ufffd2\ufffd3\ufffd\u001e:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\u0007\ufffd\ufffdX#@o>\u000e\u001a\ufffd\\\ufffd\u0006nU\ufffdD\ufffd6\ufffd\u0017S\ufffd\ufffd-F\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdF\u001c#\u001e\u068fC\ufffd2\ufffd3\ufffd\u001e:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\u0007\ufffd\ufffdX#@o>\u000e\u001a\ufffd\\\ufffd\u0006nU\ufffdD\ufffd6\ufffd\u0017S\ufffd\ufffd-F\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdIE\ufffd\ufffd\ufffd\n\ufffd\ufffd?\ufffd\ufffd='\ufffd\ufffd)\u001a\u001f\ufffdNMV\ufffd\u000e\ufffd\u0005\ufffd\u0019\ufffdB", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdF\u001c#\u001e\u068fC\ufffd2\ufffd3\ufffd\u001e:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\u0007\ufffd\ufffdX#@o>\u000e\u001a\ufffd\\\ufffd\u0006nU\ufffdD\ufffd6\ufffd\u0017S\ufffd\ufffd-F\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "048e9172f0823a22d28525273df7651a5348774c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdF\u001c#\u001e\u068fC\ufffd2\ufffd3\ufffd\u001e:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\u0007\ufffd\ufffdX#@o>\u000e\u001a\ufffd\\\ufffd\u0006nU\ufffdD\ufffd6\ufffd\u0017S\ufffd\ufffd-F\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffdF#\u068fC\ufffd2\ufffd3\ufffd:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\ufffd\ufffdX#@o>\ufffd\\\ufffdnU\ufffdD\ufffd6\ufffdS\ufffd\ufffd-F&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdF\u001c#\u001e\u068fC\ufffd2\ufffd3\ufffd\u001e:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\u0007\ufffd\ufffdX#@o>\u000e\u001a\ufffd\\\ufffd\u0006nU\ufffdD\ufffd6\ufffd\u0017S\ufffd\ufffd-F\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdF#\u068fC\ufffd2\ufffd3\ufffd:~P\/4`p\ufffd\ufffd\ufffdW\ufffd\ufffd[Q{\|x \ufffd;C\ufffd\ufffdX#@o>\ufffd\\\ufffdnU\ufffdD\ufffd6\ufffdS\ufffd\ufffd-F&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��V�7��3� Y��LҌ��Ň��Z��'q3 ��4�E��7��o�/��!`�a�pp'Sl�j5&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��V�7��3� Y��LҌ��Ň��Z��'q3 ��4�E��7��o�/��!`�a�pp'Sl�j5&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��V�7��3� Y��LҌ��Ň��Z��'q3 ��4�E��7��o�/��!`�a�pp'Sl�j5&�+�/�,�0̨̩� �� /5� w �+3&$ t �m�-�!~�u��@S��?��@A��Cqy Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.838956803203342, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "66505ab7e5986abb929ea45680dc8cff", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffdV\ufffd\u00027\ufffd\ufffd3\u001f\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffd\u0017\u001eZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\u0015\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffd\u0005pp'Sl\ufffdj5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffdV\ufffd\u00027\ufffd\ufffd3\u001f\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffd\u0017\u001eZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\u0015\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffd\u0005pp'Sl\ufffdj5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 t\u000b\r\ufffdm\ufffd-\ufffd\u0000!~\ufffdu\ufffd\ufffd\ufffd\ufffd@S\ufffd\ufffd?\ufffd\ufffd@A\ufffd\ufffd\ufffdCqy", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffdV\ufffd\u00027\ufffd\ufffd3\u001f\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffd\u0017\u001eZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\u0015\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffd\u0005pp'Sl\ufffdj5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25e91149b0cbff06128654580b2f131601a749cb", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffdV\ufffd\u00027\ufffd\ufffd3\u001f\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffd\u0017\u001eZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\u0015\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffd\u0005pp'Sl\ufffdj5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffdV\ufffd7\ufffd\ufffd3\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffdZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffdpp'Sl\ufffdj5&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0014\ufffdV\ufffd\u00027\ufffd\ufffd3\u001f\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffd\u0017\u001eZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\u0015\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffd\u0005pp'Sl\ufffdj5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdV\ufffd7\ufffd\ufffd3\ufffd\nY\ufffd\ufffdL\u048c\ufffd\ufffd\u0147\ufffd\ufffdZ\ufffd\ufffd'q3 \ufffd\ufffd4\ufffdE\ufffd\ufffd\ufffd7\ufffd\ufffdo\ufffd\/\ufffd\ufffd!`\ufffda\ufffdpp'Sl\ufffdj5&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��Ha��8N��\|��{h��q�^�O��/ ��?��Ҫ Y��%�� \m֨!�P&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��Ha��8N��\|��{h��q�^�O��/ ��?��Ҫ Y��%�� \m֨!�P&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ha��8N��\|��{h��q�^�O��/ ��?��Ҫ Y��%�� \m֨!�P&�+�/�,�0̨̩� �� /5� w �+3&$ �D��^uc�c��Upa��'1>�.aFB�RG Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.790188123480879, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "aac34e6384161b01007224fc89f4ad4e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0001a\ufffd\ufffd\ufffd\ufffd\u0010\u00068\u0010N\u0003\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\u0007\n\\m\u0001\u05a8!\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0001a\ufffd\ufffd\ufffd\ufffd\u0010\u00068\u0010N\u0003\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\u0007\n\\m\u0001\u05a8!\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdD\ufffd\u0012\ufffd^uc\ufffdc\ufffd\ufffd\u0018Upa\ufffd\u0015\ufffd\u000f'1>\ufffd.a\u0001FB\ufffdRG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0001a\ufffd\ufffd\ufffd\ufffd\u0010\u00068\u0010N\u0003\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\u0007\n\\m\u0001\u05a8!\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d30c94f48e5fe0e5ba353338ec55871a9dc4782a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0001a\ufffd\ufffd\ufffd\ufffd\u0010\u00068\u0010N\u0003\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\u0007\n\\m\u0001\u05a8!\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffdHa\ufffd\ufffd\ufffd\ufffd8N\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\\m\u05a8!\ufffdP&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0001a\ufffd\ufffd\ufffd\ufffd\u0010\u00068\u0010N\u0003\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0014\u0007\n\\m\u0001\u05a8!\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdHa\ufffd\ufffd\ufffd\ufffd8N\ufffd\ufffd\|\ufffd\ufffd{h\ufffd\ufffd\ufffdq\ufffd^\ufffdO\ufffd\ufffd\ufffd\/ \ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u04aa Y\ufffd\ufffd%\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n\\m\u05a8!\ufffdP&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��\|��F��ysw��qe�H� :� E{&�j�q�1��$1�O�D:�w ��;�%&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��\|��F��ysw��qe�H� :� E{&�j�q�1��$1�O�D:�w ��;�%&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��\|��F��ysw��qe�H� :� E{&�j�q�1��$1�O�D:�w ��;�%&�+�/�,�0̨̩� �� /5� w �+3&$ ��Y�Z�^�C��L2P)��F�[2 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.814316031883255, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7af0592d964fa409f773f4c034a463f1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\|\ufffd\ufffd\ufffd\u0014\ufffdF\u0018\ufffd\ufffd\u001cysw\ufffd\u0000\ufffdq\u0010e\ufffd\u0080H\ufffd\u0010 :\ufffd\u0013 E{&\ufffd\u0000j\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:\ufffdw \u000e\ufffd\u0011\u0016\ufffd;\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\|\ufffd\ufffd\ufffd\u0014\ufffdF\u0018\ufffd\ufffd\u001cysw\ufffd\u0000\ufffdq\u0010e\ufffd\u0080H\ufffd\u0010 :\ufffd\u0013 E{&\ufffd\u0000j\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:\ufffdw \u000e\ufffd\u0011\u0016\ufffd;\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdY\ufffd\u0011Z\ufffd^\ufffdC\ufffd\ufffd\ufffdL2\u001cP)\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdF\ufffd[2\u001e\u000b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\|\ufffd\ufffd\ufffd\u0014\ufffdF\u0018\ufffd\ufffd\u001cysw\ufffd\u0000\ufffdq\u0010e\ufffd\u0080H\ufffd\u0010 :\ufffd\u0013 E{&\ufffd\u0000j\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:\ufffdw \u000e\ufffd\u0011\u0016\ufffd;\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f114f73fd0be6b520182fe6dfc9d13e03d48cb4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\|\ufffd\ufffd\ufffd\u0014\ufffdF\u0018\ufffd\ufffd\u001cysw\ufffd\u0000\ufffdq\u0010e\ufffd\u0080H\ufffd\u0010 :\ufffd\u0013 E{&\ufffd\u0000j\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:\ufffdw \u000e\ufffd\u0011\u0016\ufffd;\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\|\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffdysw\ufffd\ufffdqe\ufffd\u0080H\ufffd :\ufffd E{&\ufffdj\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:\ufffdw \ufffd\ufffd;\ufffd%&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\|\ufffd\ufffd\ufffd\u0014\ufffdF\u0018\ufffd\ufffd\u001cysw\ufffd\u0000\ufffdq\u0010e\ufffd\u0080H\ufffd\u0010 :\ufffd\u0013 E{&\ufffd\u0000j\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:\ufffdw \u000e\ufffd\u0011\u0016\ufffd;\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\|\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffdysw\ufffd\ufffdqe\ufffd\u0080H\ufffd :\ufffd E{&\ufffdj\ufffdq\ufffd1\ufffd\ufffd$1\ufffdO\ufffdD:*\ufffdw \ufffd\ufffd;\ufffd%&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��=�]0�ˮDq�YK�-��9, i(bʺ ��Q@� ��7r�ڬ�Jg��R&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��=�]0�ˮDq�YK�-��9, i(bʺ ��Q@��7r�ڬ�Jg��R&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��=�]0�ˮDq�YK�-��9, i(bʺ ��Q@� ��7r�ڬ�Jg��R&�+�/�,�0̨̩� �� /5� w �+3&$ j3�S��W�� m�g3��jAk x�H./ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.787056202518761, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ed776ea51d282d3d1350815dde234c30", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd\u0002\ufffd\ufffd=\ufffd]0\ufffd\u0016\u02eeDq\ufffdYK\ufffd-\u0014\ufffd\u0003\ufffd9,\u0011 i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\f\ufffd\ufffd\u0018\ufffd7\u001b\br\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd\u0002\ufffd\ufffd=\ufffd]0\ufffd\u0016\u02eeDq\ufffdYK\ufffd-\u0014\ufffd\u0003\ufffd9,\u0011 i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\f\ufffd\ufffd\u0018\ufffd7\u001b\br\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 j3\ufffd\u0002S\ufffd\ufffdW\ufffd\ufffd\u0004\u000f\t\ufffd\u0007m\ufffdg3\ufffd\ufffdjAk\nx\ufffd\u0019H.\/ ", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd\u0002\ufffd\ufffd=\ufffd]0\ufffd\u0016\u02eeDq\ufffdYK\ufffd-\u0014\ufffd\u0003\ufffd9,\u0011 i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\f\ufffd\ufffd\u0018\ufffd7\u001b\br\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "162e234de27d9eb2407fb449c761b9439d66c784", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd\u0002\ufffd\ufffd=\ufffd]0\ufffd\u0016\u02eeDq\ufffdYK\ufffd-\u0014\ufffd\u0003\ufffd9,\u0011 i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\f\ufffd\ufffd\u0018\ufffd7\u001b\br\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd]0\ufffd\u02eeDq\ufffdYK\ufffd-\ufffd\ufffd9, i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\ufffd\ufffd\ufffd7r\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\ufffd\u0002\ufffd\ufffd=\ufffd]0\ufffd\u0016\u02eeDq\ufffdYK\ufffd-\u0014\ufffd\u0003\ufffd9,\u0011 i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\f\ufffd\ufffd\u0018\ufffd7\u001b\br\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd]0\ufffd\u02eeDq\ufffdYK\ufffd-\ufffd\ufffd9, i(b\u02ba\n\ufffd\ufffd\ufffdQ@\ufffd\ufffd\ufffd\ufffd7r\ufffd\u06ac\ufffdJg\ufffd\ufffd\ufffd\ufffdR&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }
14/06/2026 11:02:53 UTC	TCP	9443 · HTTPS	https	Sonde PostgreSQL postgres probe · via HTTPS:9443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello websphere_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload ��lo�k�+�8 ��VK�\|��w��s�ol��x Y� �)[Z�戴 N+��4��pH�� res&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) ��lo�k�+�8��VK�\|��w��s�ol��x Y� �)[Z�戴N+��4��pH��res&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��lo�k�+�8 ��VK�\|��w��s�ol��x Y� �)[Z�戴 N+��4��pH�� res&�+�/�,�0̨̩� �� /5� w �+3&$ P�sN�dS-�p�dZVkŴ��l] jKf0& Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.726353358642438, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "IN", "dst_port": 9443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f2969b3a7d1c31616fffb40602d4e6e3999b3dc2", "event_fingerprint": "5b8d9bc7bcb6d0b9bee3faac4a80649a400d4176", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "IN", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d03d8aa9fcbdf693b329412f1199c20d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lo\ufffd\u0018k\ufffd+\ufffd\u00028\u000b\u0012\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffd\u0001s\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd\u0014)[Z\ufffd\ufa8c\fN+\ufffd\u0018\ufffd4\u001c\ufffd\ufffdpH\ufffd\ufffd\u0013\fres\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lo\ufffd\u0018k\ufffd+\ufffd\u00028\u000b\u0012\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffd\u0001s\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd\u0014)[Z\ufffd\ufa8c\fN+\ufffd\u0018\ufffd4\u001c\ufffd\ufffdpH\ufffd\ufffd\u0013\fres\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 P\ufffd\u000f\bsN\ufffddS-\ufffdp\ufffddZVk\u0174\ufffd\ufffd\ufffdl]\u0004\njKf0&\u000b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lo\ufffd\u0018k\ufffd+\ufffd\u00028\u000b\u0012\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffd\u0001s\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd\u0014)[Z\ufffd\ufa8c\fN+\ufffd\u0018\ufffd4\u001c\ufffd\ufffdpH\ufffd\ufffd\u0013\fres\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "79a390eecef0ec69ac95c9eff723951714cc5c84", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lo\ufffd\u0018k\ufffd+\ufffd\u00028\u000b\u0012\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffd\u0001s\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd\u0014)[Z\ufffd\ufa8c\fN+\ufffd\u0018\ufffd4\u001c\ufffd\ufffdpH\ufffd\ufffd\u0013\fres\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffdlo\ufffdk\ufffd+\ufffd8\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffds\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd)[Z\ufffd\ufa8cN+\ufffd\ufffd4\ufffd\ufffdpH\ufffd\ufffdres&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lo\ufffd\u0018k\ufffd+\ufffd\u00028\u000b\u0012\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffd\u0001s\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd\u0014)[Z\ufffd\ufa8c\fN+\ufffd\u0018\ufffd4\u001c\ufffd\ufffdpH\ufffd\ufffd\u0013\fres\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "postgres probe \u00b7 via HTTPS:9443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdlo\ufffdk\ufffd+\ufffd8\ufffd\ufffd\ufffdVK\ufffd\|\ufffd\ufffdw\ufffd\ufffds\ufffdol\ufffd\ufffdx \tY\ufffd\n\ufffd)[Z\ufffd\ufa8cN+\ufffd\ufffd4\ufffd\ufffdpH\ufffd\ufffdres&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello", "websphere_probe" ], "asn_dc_heuristic": true }

34.180.34.53

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence