Détails IP 34.47.80.115

Synthèse exécutive

Profil de menace

Score de risque 52/100 Moyen

Première observation 14/06/2026 18:05 UTC

Dernière observation 14/06/2026 18:05 UTC

Événements (période) 332

MITRE ATT&CK principal TA0007 235 occurrences

Activité suspecte — risque 34/100 (Faible) — MITRE TA0001 — via HDFS NAMENODE

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « syn_flood » (signaux protocolaires) · confiance 0%

Confiance 0 % — 4 signal(aux) capteur

Comparaison ASN / FAI

ASN 396982 · 34.47.64.0/18 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 332 événements sur la période pour cette IP.

198.235.24.247 Sonde port 18/06/2026 19:53 UTC
162.216.150.82 Scanner web 18/06/2026 19:51 UTC
147.185.132.48 Sonde port 18/06/2026 19:51 UTC
147.185.132.180 Sonde port 18/06/2026 19:50 UTC
205.210.31.109 Sonde PostgreSQL 18/06/2026 19:50 UTC
147.185.132.33 Scanner web 18/06/2026 19:50 UTC
147.185.133.227 Sonde port 3307/TCP 18/06/2026 19:49 UTC
35.203.211.244 Scanner web 18/06/2026 19:48 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

198.235.24.247 Sonde port
162.216.150.82 Scanner web
147.185.132.48 Sonde port
147.185.132.180 Sonde port
205.210.31.109 Sonde PostgreSQL

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

332 événement(s) — page 1/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537 Requête brute (extrait) GET /server/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 262, "payload_entropy": 5.425921831212348, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ddcbe73b25a19b58f4ea67ca3f85261d", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "request_sample": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "evidence": { "request_sample": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b354700593aa59f1b0bc8e3c5bea7248f3b20689", "protocol_details": { "payload_preview": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /var/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (K Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /var/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (K Requête brute (extrait) GET /var/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 248, "payload_entropy": 5.425086148618453, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e43f41bad329ecceab323de7e2647311", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "request_sample": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "evidence": { "request_sample": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4151a648577cbdf8478c9f82714483d282aaf530", "protocol_details": { "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/var\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (K", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /release/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb Requête brute (extrait) GET /release/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15G77 MicroMessenger/7.0.3(0x17000321) NetType/WIFI Language/zh_CN Accept-Charset: utf- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 303, "payload_entropy": 5.440489124403433, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "65090852c332540839f31aaec1e65e5f", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "request_sample": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-", "payload_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "evidence": { "request_sample": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15G77 MicroMessenger\/7.0.3(0x17000321) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-", "payload_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "790c97e176ef3322315b009b9a9c79dae3cf137f", "protocol_details": { "payload_preview": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/release\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWeb", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /config/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/ Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 44 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /config/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/ Requête brute (extrait) GET /config/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 YaBrowser/19.7.0.1990 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-En Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 291, "payload_entropy": 5.429409347293247, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 44, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fe877a7756155d2222a1b1375c595b0011e73afe", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dbf64438907adee3012bbc1aa83a0dca", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 44 }, "payload_preview": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "request_sample": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 YaBrowser\/19.7.0.1990 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-En", "payload_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "evidence": { "request_sample": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 YaBrowser\/19.7.0.1990 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-En", "payload_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cf2c3a3a77c32a1d1a94e33484608c50357a7d75", "protocol_details": { "payload_preview": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /private/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko/201001 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /private/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko/201001 Requête brute (extrait) GET /private/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 212, "payload_entropy": 5.303107816199932, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5e398e2ead6480fc0d44ea692af2f1f4", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "request_sample": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "evidence": { "request_sample": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/20100101 Firefox\/54.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "32e9fbd12627925cfe157c2e68196e82e7582dbe", "protocol_details": { "payload_preview": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/private\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64; rv:54.0) Gecko\/201001", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /config/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 44 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /config/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /config/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 251, "payload_entropy": 5.381634308842309, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 44, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fe877a7756155d2222a1b1375c595b0011e73afe", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "da16046533f8af8ee84a4478e667a890", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 44 }, "payload_preview": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7d00608a11b4b0b81f928653219c4001f88479d1", "protocol_details": { "payload_preview": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Faible · 34
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Web Downloader/6.9 Accept-Charset: utf-8 Accept-Encoding: Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Web Downloader/6.9 Accept-Charset: utf-8 Accept-Encoding: Requête brute (extrait) GET /packages/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Web Downloader/6.9 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 155, "payload_entropy": 5.1348841792107445, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4c534dfcbc4ff30ad0edf86865b3d75c7daa6ecf", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "58ecba3d1e1669f81223f7581d5e296e", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 34 }, "payload_preview": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: ", "request_sample": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "evidence": { "request_sample": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12022c5e2bb70a2a0707d388bfc68c7fb4a6378f", "protocol_details": { "payload_preview": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 34\/100 (Faible) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 34, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/packages\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Web Downloader\/6.9\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde Elasticsearch elasticsearch probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /admin/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960W) AppleWebKit/537.36 (KH Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 49 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0341 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /admin/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960W) AppleWebKit/537.36 (KH Requête brute (extrait) GET /admin/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 255, "payload_entropy": 5.421022272490135, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0341" ], "kb_rule_ids": [ "pat-0341" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8ff5d46dd92a90c7e805a0b54ea3e675", "path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 49 }, "payload_preview": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "request_sample": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "evidence": { "request_sample": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "08bc0bc6f247515df42b98e32fb8b1961401abe1", "protocol_details": { "payload_preview": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "attack_vector": "elasticsearch probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0341" ], "tags_summary_labels_fr": [ "pat-0341" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "elasticsearch probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/admin\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960W) AppleWebKit\/537.36 (KH", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537 Requête brute (extrait) GET /frontend/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 255, "payload_entropy": 5.425830088818634, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9e5f3a3dd1ea4e9023acf65fc624f33b", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "request_sample": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "evidence": { "request_sample": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8cd517596b1483442aa0ab3d3bc3a66c473c600", "protocol_details": { "payload_preview": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /laravel/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; OPPO A57 Build/MMB29M; wv) App Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /laravel/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; OPPO A57 Build/MMB29M; wv) App Requête brute (extrait) GET /laravel/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; OPPO A57 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044813 Mobile Safari/537.36 MMWEBID/6886 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 405, "payload_entropy": 5.566777406101932, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "48515512c84564c597dbcf736d159638", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "request_sample": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044813 Mobile Safari\/537.36 MMWEBID\/6886", "payload_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "evidence": { "request_sample": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044813 Mobile Safari\/537.36 MMWEBID\/6886", "payload_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67dcd5ba4a72ef86e7ca686d6d960348dc736204", "protocol_details": { "payload_preview": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/laravel\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; OPPO A57 Build\/MMB29M; wv) App", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/ Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/ Requête brute (extrait) GET /services/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 258, "payload_entropy": 5.411905080823147, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "96631aff4ea6c0dc0ebd7d574e511623", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "request_sample": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "evidence": { "request_sample": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1a257874be39c15f1bd552e296f8fb7c4b98cb2e", "protocol_details": { "payload_preview": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/services\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi Requête brute (extrait) GET /frontend/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3835.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 258, "payload_entropy": 5.384045347987969, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "094748c9581cf86aa215ae0eaf89359b", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "request_sample": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3835.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "evidence": { "request_sample": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3835.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34b87b63e1859524c7b6ad8ee2e98c942c16542b", "protocol_details": { "payload_preview": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKi", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit/537.36 (KH Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit/537.36 (KH Requête brute (extrait) GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 254, "payload_entropy": 5.385016878368065, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "24c7775b62d028fdbcd330f9dea8c805", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "evidence": { "request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "045351ddf94709a023c5f56e5d292b2d17916dcd", "protocol_details": { "payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; LG-H873) AppleWebKit\/537.36 (KH", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /frontend/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3875.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 249, "payload_entropy": 5.399581097440054, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "889752da353cddb4ced8e68e1a4bf798", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 ", "request_sample": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3875.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3875.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d76cacc7b53b4e39c2f0b2c838098dd0ab19680c", "protocol_details": { "payload_preview": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /private/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHT Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /private/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHT Requête brute (extrait) GET /private/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.472234650762604, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "744b4cf71da5978540eb3a8b2f3d68d4", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "request_sample": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "evidence": { "request_sample": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "745164956ccdf047ed587baa966bf9bab3a3ad42", "protocol_details": { "payload_preview": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/private\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge Requête brute (extrait) GET /backend/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 223, "payload_entropy": 5.242746132162274, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "60ff3e6d3c39606b5af0b950e91b7231", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "request_sample": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "evidence": { "request_sample": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7ac6b6cc2e1231b18b77ab230e0f39c34f784394", "protocol_details": { "payload_preview": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Ge", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /internal/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHT Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /internal/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /internal/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 247, "payload_entropy": 5.395213764147858, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9dc91d9908f32ca5f0e602427d9de454", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "request_sample": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "request_sample": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.122 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89ade5bd873048286f57bf6ec2db650c21380419", "protocol_details": { "payload_preview": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/internal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHTML, lik Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHTML, lik Requête brute (extrait) GET /backend/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHTML, like Gecko) Version/11.0 Safari/604.1 Ubuntu/17.04 (3.24.1-0ubuntu1) Epiphany/3.24.1 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 278, "payload_entropy": 5.420050032705711, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89b2c7946137826a0a8ed5d320b60253", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "request_sample": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0ubuntu1) Epiphany\/3.24.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "evidence": { "request_sample": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0ubuntu1) Epiphany\/3.24.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cf01e546e8d7c2772cc39b8b8cd4346f3050db26", "protocol_details": { "payload_preview": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, lik", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Faible · 34
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /public/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass User-Agent — Règles WAF — Payload (extrait) GET /public/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1 Requête brute (extrait) GET /public/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 231, "payload_entropy": 5.283751513231423, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4c534dfcbc4ff30ad0edf86865b3d75c7daa6ecf", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1e99878c38b4a9741f039d6bcfc86206", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 34 }, "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "request_sample": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "evidence": { "request_sample": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8cd7c0a233d4522901b6cb086d235cbaa29ed729", "protocol_details": { "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 34\/100 (Faible) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 34, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/public\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /www/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Ac Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /www/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Ac Requête brute (extrait) GET /www/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 193, "payload_entropy": 5.2415145007404735, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "12e06c7fd614b292d73a27c7577c471c", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "request_sample": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "evidence": { "request_sample": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b617a46995e43273a08f5e7d90567494e64bb722", "protocol_details": { "payload_preview": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/www\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; rv:36.0) Gecko\/20100101 Firefox\/36.0\r\nAc", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 Requête brute (extrait) GET /backend/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1851) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 259, "payload_entropy": 5.441252310554823, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0e303191d1b368abea5fa364131f82d3", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "request_sample": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "508594aade06520d4182d3edcea5d26d8f513ba8", "protocol_details": { "payload_preview": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1851) AppleWebKit\/537.36", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KH Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /apps/frontend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 OPR/63.0.3368.35 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 265, "payload_entropy": 5.40932589730829, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9b60034bd4e29f75a06088e2c041690", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "evidence": { "request_sample": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e990b536199115094b20922b4dbf8e8bd268dd4d", "protocol_details": { "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/apps\/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /cms/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /cms/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 237, "payload_entropy": 5.424866744892322, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0c22c653c6e6dcf010b4ae5410d92fb2", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like ", "request_sample": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "request_sample": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d952e919145dccab2ffd2f6cc65b19fbccd39565", "protocol_details": { "payload_preview": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/cms\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KH Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KH Requête brute (extrait) GET /apps/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 255, "payload_entropy": 5.436125077959244, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d8313654f6bd314de2743ddd400d3f06", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "request_sample": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "evidence": { "request_sample": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71944678b92908c8eb092b2931f1ac620842eeb3", "protocol_details": { "payload_preview": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/apps\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; FRD-L09) AppleWebKit\/537.36 (KH", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Requête brute (extrait) GET /sendgrid/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Charset: utf Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 304, "payload_entropy": 5.263245145488292, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "87a9ffcb2dc380ee03acfa48709b2cef", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0; ", "request_sample": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nAccept-Charset: utf", "payload_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0;", "evidence": { "request_sample": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nAccept-Charset: utf", "payload_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0;", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "928798301954790128d5eb57e30182fa8822b06c", "protocol_details": { "payload_preview": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0;", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0;", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0;", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\/4.0;", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L29) AppleWebKit/537.36 (KHTM Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /.sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L29) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 253, "payload_entropy": 5.406619974156834, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b7c070ac76ac533fa6a0484055753204", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "request_sample": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "evidence": { "request_sample": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44684a3e8a16ae087ba263770a453d5ba5933bf4", "protocol_details": { "payload_preview": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/.sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-L29) AppleWebKit\/537.36 (KHTM", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; COL-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 252, "payload_entropy": 5.4247121526352355, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c137fcc0154dcebf524bac545eeaa94", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c52795750eb0cb0c95bac2d6f9441ef2cd4b0a91", "protocol_details": { "payload_preview": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; COL-L29) AppleWebKit\/537.36 (KHTML", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /sendgrid/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /sendgrid/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit Requête brute (extrait) GET /sendgrid/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 257, "payload_entropy": 5.401506613484634, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "351c93db33df454b0ac2b64afbd7f4a5", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "request_sample": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "evidence": { "request_sample": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1553ac94955dc10e1f6648f4ce167b0d4dea9cb7", "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537 Requête brute (extrait) GET /dashboard/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 255, "payload_entropy": 5.418660243130461, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d036da1a8a9b3528399cd2780dcdf151", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "evidence": { "request_sample": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa158a79fd5f7c25b4ad8e660c0ed2990173dd90", "protocol_details": { "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/dashboard\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /tmp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /tmp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Requête brute (extrait) GET /tmp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 231, "payload_entropy": 5.394467465313376, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a4f8a08a41133c36e4e6d31a2e875ca1", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) ", "request_sample": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "evidence": { "request_sample": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bb16787334ace3c8e36ae5f1eeb89e4f8cfb9be0", "protocol_details": { "payload_preview": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/tmp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KH Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KH Requête brute (extrait) GET /frontend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 262, "payload_entropy": 5.465599624198988, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "522d381593af34cccfe1b46290ce77fd", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "request_sample": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "evidence": { "request_sample": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58e44892ba63383b397290b9ab82cf0239b44ee0", "protocol_details": { "payload_preview": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KH", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Faible · 34
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CL Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CL Requête brute (extrait) GET /backend/.env.bak HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: MOT-L7v/08.B7.5DR MIB/2.2.1 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.0.0.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 221, "payload_entropy": 5.309181386890489, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 34, "tag_count": 5, "anomaly_count": 0, "campaign_key": "0f22d3d03ed2592133d8266d34dad6c22eaf89eb", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d99aa18f09f25242f2383d2abbd4ba4f", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 34 }, "payload_preview": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "request_sample": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "evidence": { "request_sample": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Link\/6.3.0.0.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af332cedd2ecf17ea56feeb7fab1a1b7a2194edf", "protocol_details": { "payload_preview": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 34\/100 (Faible) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 34 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 34, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: MOT-L7v\/08.B7.5DR MIB\/2.2.1 Profile\/MIDP-2.0 Configuration\/CL", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "net_flood", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /wp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Ge Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /wp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Ge Requête brute (extrait) GET /wp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.27 (KHTML, like Gecko) Chrome/12.0.712.0 Safari/534.27 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 233, "payload_entropy": 5.431943481888588, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "aadef01f210e2cfe19be3818e725dfdf", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "request_sample": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Gecko) Chrome\/12.0.712.0 Safari\/534.27\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "evidence": { "request_sample": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Gecko) Chrome\/12.0.712.0 Safari\/534.27\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "500a5569d7c7a65c971ac047ed70b40716972df2", "protocol_details": { "payload_preview": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/wp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/534.27 (KHTML, like Ge", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /wordpress/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /wordpress/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /wordpress/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 238, "payload_entropy": 5.4713474988111015, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01b23c6d4fd1e67206adb2d5014f44cd", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "request_sample": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.76 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "request_sample": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/56.0.2924.76 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "feb55313d08e336f4b3a87c98de66e6c528b733e", "protocol_details": { "payload_preview": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/wordpress\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /sendgrid/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /sendgrid/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A Requête brute (extrait) GET /sendgrid/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 274, "payload_entropy": 5.3450830109555145, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dd64713381702b30f03c1340cc7ca940", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "request_sample": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14G60 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "evidence": { "request_sample": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14G60 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb7761cdc7a2232cd18d96795987ceedba8898c2", "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) A", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/C Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/C Requête brute (extrait) GET /temp/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 280, "payload_entropy": 5.3936605960686625, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "55de0445f56034ece44eb3ef4075a06f", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "evidence": { "request_sample": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4bd60511ec7691e49d8cacf715be96e2eb525f9c", "protocol_details": { "payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/temp\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; en-gb; T-Mobile_G2_Touch Build\/C", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /apps/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /apps/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App Requête brute (extrait) GET /apps/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/532.8 (KHTML, like Gecko) Chrome/4.0.302.2 Safari/532.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.384510452365788, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8828a9c88ab819556b2fc441d0293620", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "request_sample": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/532.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "evidence": { "request_sample": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit\/532.8 (KHTML, like Gecko) Chrome\/4.0.302.2 Safari\/532.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46b8cac5e76f1f9fb0a0e8ca570d623a67375fc9", "protocol_details": { "payload_preview": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/apps\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) App", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537. Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537. Requête brute (extrait) GET /sendgrid/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.43629794155099, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "639f2d6925d7b43acc3129f2a81e3249", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "request_sample": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "evidence": { "request_sample": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9e8050a3aafb522cc0ecbb6e1ee44400567cd06", "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G960F) AppleWebKit\/537.", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Fir Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Fir Requête brute (extrait) GET /sendgrid/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 206, "payload_entropy": 5.282357695629701, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4bdd6597dc0b7e40e102ab8f16b28141", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "request_sample": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "evidence": { "request_sample": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "299c4049ecc6193a1c5dcb52055329e21ec4c3d0", "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/sendgrid\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Fir", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/53 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/53 Requête brute (extrait) GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 263, "payload_entropy": 5.399717065529561, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "69d006755771d2630c732381d1130ea7", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "evidence": { "request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cae8d00cdca7fa3c5b07ff66939c45b221468862", "protocol_details": { "payload_preview": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q710.FG) AppleWebKit\/53", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) App Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) App Requête brute (extrait) GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Safari/534.30 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 258, "payload_entropy": 5.372589524800817, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "de5dfc3a4c1151572aab43feb1240a89", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "request_sample": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.1 Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "evidence": { "request_sample": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.1 Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54b3d59ba198be7de14e4367fde745024e3a0200", "protocol_details": { "payload_preview": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) App", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /symfony/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, li Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /symfony/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /symfony/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 241, "payload_entropy": 5.446138390440651, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "af6c3b66cfac584de5b81d8e8546331a", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "request_sample": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "request_sample": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f5a471d640149614f94b09126ee8618edfef3894", "protocol_details": { "payload_preview": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/symfony\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.3 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.3 Requête brute (extrait) GET /frontend/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 253, "payload_entropy": 5.398476599728502, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b75123fe1227fac2bd36489cc8a26973", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "request_sample": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "add65a07071fba74328672f9210c614b41231742", "protocol_details": { "payload_preview": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.3", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /html/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /html/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072 Requête brute (extrait) GET /html/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.325012347532088, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c4ef51ce64ecd1073c5372b949ab74d8", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "request_sample": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "evidence": { "request_sample": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.40727; Media Center PC 4.0; InfoPath.1; en-NZ)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d89c866cc6b3e5009e2553a22a950be196b7cc95", "protocol_details": { "payload_preview": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/html\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/4.0 (Windows; U; MSIE 7.0; Windows NT 6.0; .NET CLR 1.0.4072", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /htdocs/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /htdocs/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Requête brute (extrait) GET /htdocs/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 215, "payload_entropy": 5.410518751959478, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6a237549be1c30fdb9f27eb96b5f832d", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "request_sample": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "evidence": { "request_sample": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26fd6caef8ca884bec26df32785c9580f746281a", "protocol_details": { "payload_preview": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/htdocs\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Faible · 34
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /web/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: P3P Validator Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: P3P Validator Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Requête brute (extrait) GET /web/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: P3P Validator Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 141, "payload_entropy": 5.09303758762464, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4c534dfcbc4ff30ad0edf86865b3d75c7daa6ecf", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "507ae1115f720f65bd09d69c49d9686a", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 34 }, "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "request_sample": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "evidence": { "request_sample": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9a994db55ebca3f0b0e0d90ae87a495810d16b1", "protocol_details": { "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 34\/100 (Faible) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 34, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/web\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: P3P Validator\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit Requête brute (extrait) GET /frontend/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.84 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 258, "payload_entropy": 5.423949699636017, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5559f2eb08a941d4f667141d64275d4d", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "request_sample": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.84 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "evidence": { "request_sample": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.84 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48bd1f052e8b0a66897d0f25e751e118177d8a51", "protocol_details": { "payload_preview": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /uploads/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; LEX829) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /uploads/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; LEX829) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /uploads/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; LEX829) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/10.1 Chrome/71.0.3578.99 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 270, "payload_entropy": 5.468662634708652, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0b4ba6ffd0ecc702b62df5441063e986", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "request_sample": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/10.1 Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/10.1 Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1543cb3d6d6269c9416c91ad43a343a125f7b778", "protocol_details": { "payload_preview": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/uploads\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LEX829) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537 Requête brute (extrait) GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 262, "payload_entropy": 5.417424098660095, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c25be046f81fb873881b52d6972d4864", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "request_sample": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "evidence": { "request_sample": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2b078de4a913223c4d653c5e0455bb07f0670fc0", "protocol_details": { "payload_preview": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/services\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:32 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /api/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 250, "payload_entropy": 5.41003651399878, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f15d575621dd43b3958b38f7ed7f6543", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "68594f1a6d5ac954f79b3824572355331da3f323", "protocol_details": { "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/api\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }

34.47.80.115

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence