Renseignement sur les menaces

Corée du Sud

34.47.80.115

FAI Google LLC Première vue 14/06/2026 18:05 UTC Dernière vue 14/06/2026 18:05 UTC Risque Moyen

Période analysée : 2026-06-12 → 2026-06-19

Activité suspecte — risque 34/100 (Faible) — MITRE TA0001 — via HDFS NAMENODE

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 52/100 Moyen

Première observation 14/06/2026 18:05 UTC

Dernière observation 14/06/2026 18:05 UTC

Événements (période) 332

MITRE ATT&CK principal TA0007 235 occurrences

Activité suspecte — risque 34/100 (Faible) — MITRE TA0001 — via HDFS NAMENODE

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « syn_flood » (signaux protocolaires) · confiance 0%

Confiance 0 % — 4 signal(aux) capteur

Comparaison ASN / FAI

ASN 396982 · 34.47.64.0/18 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 332 événements sur la période pour cette IP.

162.216.149.35 Scanner web 19/06/2026 04:33 UTC
162.216.150.113 Scanner web 19/06/2026 04:33 UTC
162.216.150.40 Sonde port 5900/TCP 19/06/2026 04:32 UTC
35.203.211.97 Scan vulnérabilités 19/06/2026 04:32 UTC
35.203.210.112 Scanner web 19/06/2026 04:31 UTC
35.203.210.68 Scanner web 19/06/2026 04:31 UTC
35.203.211.196 Scan vulnérabilités 19/06/2026 04:28 UTC
147.185.132.169 Scanner web 19/06/2026 04:27 UTC

Événements (filtres)

332

Première observation

14/06/2026 18:05 UTC

Dernière observation

14/06/2026 18:05 UTC

Dernière activité (filtres)

14/06/2026 18:05 UTC

Événements 7j

332

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8020 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)

Détails protocole

Aperçu payload

GET /backend/sendgrid.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: NetSurf/1.2 (NetBSD; amd64) Accept-Charset: utf-8 Accep

Port / service

8020 · HDFS NAMENODE

Service émulé

HDFS-NAMENODE

Raison confiance

Confiance 0 % — 4 signal(aux) capteur

Technique MITRE

TA0001

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

0% Confiance modérée — signal unique

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

332 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

332 événement(s) — page 3/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��k�)2��ڣ�{B��`��&i��w�� =}�b��cx�x��{�;mu�h�dA(Z��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��k�)2��ڣ�{B��`��&i��w�� =}�b��cx�x��{�;mu�h�dA(Z��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��k�)2��ڣ�{B��`��&i��w�� =}�b��cx�x��{�;mu�h�dA(Z��&�+�/�,�0̨̩� �� /5� w �+3&$ ��j�J'.�~��e![׵�� %uV�q Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.932696015252615, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f3346b7371a1d5dc6588a3579e5bdadd9ec7851b", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c96c35c63897ac4509aac61a12d9cf2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd\u001a&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\u0010\ufffd \ufffd\ufffd=}\ufffd\u0006\u000fb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd\u001a&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\u0010\ufffd \ufffd\ufffd=}\ufffd\u0006\u000fb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdj\u0006\u0011\ufffdJ\u0019'.\u001e\ufffd~\ufffd\ufffd\u0015e![\u0002\u05f5\ufffd\ufffd\ufffd\n%uV\ufffdq", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd\u001a&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\u0010\ufffd \ufffd\ufffd=}\ufffd\u0006\u000fb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b536dd440f5898fc7ca94f1509076fd86ffbd929", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd\u001a&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\u0010\ufffd \ufffd\ufffd=}\ufffd\u0006\u000fb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd=}\ufffdb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd\u001a&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\u0010\ufffd \ufffd\ufffd=}\ufffd\u0006\u000fb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdk\ufffd)2\ufffd\ufffd\ufffd\u06a3\ufffd{B\ufffd\ufffd`\ufffd\ufffd&i\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd=}\ufffdb\ufffd\ufffdcx\ufffdx\ufffd\ufffd{\ufffd;mu\ufffdh\ufffddA(Z\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 ( Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 ( Requête brute (extrait) GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 250, "payload_entropy": 5.422578885954542, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "39975a27101bf40c49c6307a851ca741", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/37.0.2062.124 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/37.0.2062.124 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "30527162054f8ebcdf06d0d7896427b2e453d878", "protocol_details": { "payload_preview": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��o��Sn�y3N��$��\,k��#�� M(#q��Y�@Z��z�l[+�(��hQz&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��o��Sn�y3N��$��\,k��#�� M(#q��Y�@Z��z�l[+�(��hQz&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��o��Sn�y3N��$��\,k��#�� M(#q��Y�@Z��z�l[+�(��hQz&�+�/�,�0̨̩� �� /5� w �+3&$ d�K �Kt��ѝ�w�K��T��m��g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.893215927038465, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f3346b7371a1d5dc6588a3579e5bdadd9ec7851b", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6d63c7c54e45aae3be1456de5d4b124c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\u0014\ufffd\ufffdhQz\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\u0014\ufffd\ufffdhQz\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 d\ufffdK\u000b\ufffdKt\ufffd\ufffd\ufffd\u0010\ufffd\u045d\ufffdw\ufffd\u0007K\ufffd\ufffdT\ufffd\u000f\ufffdm\ufffd\ufffd\ufffdg", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\u0014\ufffd\ufffdhQz\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc6e7b01ebb9d04c01396ae38487fbf9dd5ffac8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\u0014\ufffd\ufffdhQz\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffdo\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\ufffd\ufffdhQz&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003o\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\u0014\ufffd\ufffdhQz\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdo\ufffd\ufffd\ufffdSn\ufffdy3N\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\,k\ufffd\ufffd#\ufffd\ufffd\ufffd \ufffdM(#q\ufffd\ufffd\ufffdY\ufffd@Z*\ufffd\ufffdz\ufffdl[+\ufffd(\ufffd\ufffd\ufffd\ufffd\ufffdhQz&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, l Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 274, "payload_entropy": 5.445863611358126, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89d754dbd133497dd7f4a2aa02a0cf7c", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "evidence": { "request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c94f97d3d7b92e385d7a90f3f9f0ee1648602250", "protocol_details": { "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 253, "payload_entropy": 5.4258537244616925, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ee7ab5519b460e0062e79f2ff775f002", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a29c222c78370cf8b1b30869723b7d2ecb9ef8b", "protocol_details": { "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 OPR/63.0.3368.35 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 268, "payload_entropy": 5.415608820639758, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "59daf67a076d8c3fc66b8e0e96226373", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36 OPR\/63.0.3368.35\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2555cba4e032d24f8ba32fd56ddfa98cb5c84896", "protocol_details": { "payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/6 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/6 Requête brute (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/44.0.2403.67 Mobile/12H143 Safari/600.1.4 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 271, "payload_entropy": 5.382911635561282, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "861bd911b147374431b7fde2aa550e6c", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) CriOS\/44.0.2403.67 Mobile\/12H143 Safari\/600.1.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "evidence": { "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/600.1.4 (KHTML, like Gecko) CriOS\/44.0.2403.67 Mobile\/12H143 Safari\/600.1.4\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "06d1181c17751ce78a0feb5497bb054cae60baa1", "protocol_details": { "payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPod; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit\/6", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/201204 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/201204 Requête brute (extrait) GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 218, "payload_entropy": 5.283360105671996, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9f953440fadac621fb3490eb03a7acba", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "evidence": { "request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a387bc7b368f96dbbcfdcd1e6ea590763af7e7ee", "protocol_details": { "payload_preview": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/201204", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /src/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/ Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /src/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/ Requête brute (extrait) GET /src/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/20100101 Firefox/57.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 218, "payload_entropy": 5.271267144027998, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5dc0fc0cba0b00d7e70e166fbe2eb647", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "request_sample": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "evidence": { "request_sample": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/20100101 Firefox\/57.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e9f8cdee8f7b5e1588e5c59db1596f451d4a4816", "protocol_details": { "payload_preview": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/src\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko\/", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /src/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /src/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /src/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 243, "payload_entropy": 5.406075439180103, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "39954d757d5798fcdc691ca5503d5676", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, ", "request_sample": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/65.0.3325.181 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b895c3d9d24498aa89bde8bf987acc51004bd0a", "protocol_details": { "payload_preview": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/src\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi Requête brute (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 267, "payload_entropy": 5.380103028984186, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "29707e02b06dbb189df44f25bad8e2b4", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "evidence": { "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13a64abdb905150357fe8463048101d1b1e358d2", "protocol_details": { "payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.0.2; Lenovo A6010) AppleWebKi", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.3 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.3 Requête brute (extrait) GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 253, "payload_entropy": 5.3825445341919185, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1d29d4b93ee246533deebdf7e1750450", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "92fd2c47259f1359fe1da947b0cf860b0e38c976", "protocol_details": { "payload_preview": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.3", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /frontend/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G Requête brute (extrait) GET /frontend/.env.staging HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko/20110123 SeaMonkey/2.0.12 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 227, "payload_entropy": 5.314675640531133, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8c6bce556b2c87a18e036527b43b77c7", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "request_sample": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko\/20110123 SeaMonkey\/2.0.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "evidence": { "request_sample": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) Gecko\/20110123 SeaMonkey\/2.0.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19d13ab9b026b82d3716347d3dae2b131fe9f846", "protocol_details": { "payload_preview": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/frontend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.17) G", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 ( Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 ( Requête brute (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 257, "payload_entropy": 5.4028329139501, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3acdd42171a091a960f7514495d03894", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "145b8d403b9e56a5f7009633c3b48f19e2c3b19b", "protocol_details": { "payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /server/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/ Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /server/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/ Requête brute (extrait) GET /server/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.82 Safari/537.36 OPR/29.0.1795.41 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 274, "payload_entropy": 5.434884959448751, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1249cb5ac20c41759f2d59bdb759d03d", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "request_sample": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.82 Safari\/537.36 OPR\/29.0.1795.41\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "evidence": { "request_sample": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.82 Safari\/537.36 OPR\/29.0.1795.41\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "030497842e96e98a386450caed5e5e42a609da62", "protocol_details": { "payload_preview": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /server/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit/537.36 (KHTM Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /server/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /server/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 253, "payload_entropy": 5.3936681453998565, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b821a258e6935c2083be2fe75fa7dab2", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "request_sample": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "evidence": { "request_sample": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "838063770ae2e55eaa691dc7eb9241500746cf67", "protocol_details": { "payload_preview": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/server\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 6.1) AppleWebKit\/537.36 (KHTM", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /src/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /src/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /src/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.42 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 252, "payload_entropy": 5.408277599633327, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1a7a08a4bb50e8e7ccbd7e7f4a5d59ce", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "request_sample": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.42 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d34a9e31712367f637d4675b5bdb934ae336b13c", "protocol_details": { "payload_preview": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/src\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHT Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHT Requête brute (extrait) GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.4783689252685575, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d6f9b4b7558d9716e80882878e9c1f6a", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "evidence": { "request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e66d0239e820b9e4dee1116a81a4da6c5fef174", "protocol_details": { "payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHT", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple Requête brute (extrait) GET /services/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.334924644869198, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "78dca8ebe6b9db567380ea14e686e9f4", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "request_sample": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "evidence": { "request_sample": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b4eb43ee27d4f011ef45b909be5fe02dfe0fff2", "protocol_details": { "payload_preview": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/services\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) Apple", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /data/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 ( Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /data/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 ( Requête brute (extrait) GET /data/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 250, "payload_entropy": 5.417722362372532, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c904e239a91cad2b8f5e615cd4b49d68", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "request_sample": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f38034f7e630af115024e684e5fb07de5117fe8c", "protocol_details": { "payload_preview": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/data\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit\/537.36 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /service/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGL84VL Build/NRD90U) AppleWebKi Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /service/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGL84VL Build/NRD90U) AppleWebKi Requête brute (extrait) GET /service/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGL84VL Build/NRD90U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 267, "payload_entropy": 5.492366412807475, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1715c83e5c4231973e1dee0b0cb30c15", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "request_sample": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "evidence": { "request_sample": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d063d71cff73f77f560562402f151740e80ea39", "protocol_details": { "payload_preview": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/service\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGL84VL Build\/NRD90U) AppleWebKi", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /services/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /services/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb Requête brute (extrait) GET /services/.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 269, "payload_entropy": 5.446668770698556, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "822f8cea58b1a8f2981188cb9b033a31", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "request_sample": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "evidence": { "request_sample": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e50aa0c7ba6d8b6e5e84ec592aee9141c9aa226f", "protocol_details": { "payload_preview": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/services\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; KYOCERA-C6742) AppleWeb", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	tor exit probe tor exit probe · via HDFS NAMENODE:8020 · (commande & contrôle)	Élevée	Moyen · 51
Étape Commande & contrôle Chaîne Commande & contrôle Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0011 TA0011 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Investiguer Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit/537.36 ( Pourquoi cette classification : Type « tor_exit_probe » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Moyen · 51 Confiance : Confiance 46 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Tor Exit Hint Technique MITRE TA0011 Tactiques MITRE TA0011 User-Agent — Règles WAF — Payload (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit/537.36 ( Requête brute (extrait) GET /storage/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 257, "payload_entropy": 5.404072226040016, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 51, "tag_count": 6, "anomaly_count": 0, "campaign_key": "dad2764bcd8401f7d6e0aadbd3e93c25a4f53ea4", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "INT-TOR-exit-hint" ], "kb_rule_ids": [ "INT-TOR-exit-hint" ], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 51 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 46, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6a9b5beaec550b4eafa4ba629ace4e28", "path_pattern_hash": "d2d40d620e587c49ef0af866b893b1d5" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 51 }, "payload_preview": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "request_sample": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13cc7e80515a4481d77366b5138f3ef03d19a3b1", "protocol_details": { "payload_preview": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "attack_vector": "tor exit probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (commande & contr\u00f4le)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 46 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via HDFS NAMENODE", "confidence_pct": 46, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 51 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "command_and_control", "attack_chain_stage_label_fr": "Commande & contr\u00f4le", "risk_score": 51, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "INT-TOR-exit-hint" ], "tags_summary_labels_fr": [ "Tor Exit Hint" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "tor exit probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "GET \/storage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; Redmi 4A) AppleWebKit\/537.36 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 46 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "command_and_control", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "command_and_control", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood", "tor_exit_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde Elasticsearch elasticsearch probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /admin/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 ( Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 49 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0341 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /admin/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 ( Requête brute (extrait) GET /admin/.env.backup HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 257, "payload_entropy": 5.423017978229339, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0341" ], "kb_rule_ids": [ "pat-0341" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b2b2c1b7fc7af7960943967f7c9ad01", "path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 49 }, "payload_preview": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "request_sample": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a533399f9225a4ee9f0588e2881641dd2e9cc902", "protocol_details": { "payload_preview": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "attack_vector": "elasticsearch probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0341" ], "tags_summary_labels_fr": [ "pat-0341" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "elasticsearch probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/admin\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /build/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /build/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /build/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.88 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 262, "payload_entropy": 5.43867267179839, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6b78cca45c6f5008d5456bc86cb2f7b4", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.88\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.88\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f54037b908f4f4a9b16c3bf3eca1173ee3031b2e", "protocol_details": { "payload_preview": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/build\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /deploy/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHT Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /deploy/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /deploy/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 254, "payload_entropy": 5.480193085092728, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b1544ff0551531c71f99fbae2a7527a9", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "request_sample": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "evidence": { "request_sample": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c9a66ed4e00ca9c5c8892710302e39710c320ba6", "protocol_details": { "payload_preview": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/deploy\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ASUS_X00QD) AppleWebKit\/537.36 (KHT", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /dist/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /dist/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET /dist/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 234, "payload_entropy": 5.437905032023336, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4efebf3fe907e401c5849d8354c156e6", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "request_sample": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "request_sample": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.170 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14b4b33b2bfd6147b682b30b2c8e23ea68ad5ef6", "protocol_details": { "payload_preview": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/dist\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTM Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /internal/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 OPR/62.0.3331.116 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: c Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 264, "payload_entropy": 5.3734034649800195, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "af8596bb9fdd4c09505b7340c72248f2", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "evidence": { "request_sample": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36 OPR\/62.0.3331.116\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: c", "payload_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b145eb4fedfe14b5c855a36fffa39297d72d7676", "protocol_details": { "payload_preview": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/internal\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTM", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /config/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 44 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /config/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe Requête brute (extrait) GET /config/.env.production HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 230, "payload_entropy": 5.337130472793486, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 44, "tag_count": 6, "anomaly_count": 0, "campaign_key": "fe877a7756155d2222a1b1375c595b0011e73afe", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c8ca54397520dc93e49490b54d815bb7", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 44 }, "payload_preview": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "request_sample": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "evidence": { "request_sample": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f09eabfe8b293c4034c4e9a84ab8089ea7b32227", "protocol_details": { "payload_preview": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/config\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWe", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /src/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537. Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /src/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537. Requête brute (extrait) GET /src/api/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.392050910643688, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "067a90201cbfd8f3f6f5e771f81259c8", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "request_sample": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "evidence": { "request_sample": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c16f46d0d9af59f943d4bd44e2e1efabd1f70a67", "protocol_details": { "payload_preview": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/src\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:31 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Flood / DDoS syn flood · via HDFS NAMENODE:8020 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /docker/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 Pourquoi cette classification : Type « syn_flood » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 43 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 User-Agent — Règles WAF — Payload (extrait) GET /docker/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 Requête brute (extrait) GET /docker/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3792.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 250, "payload_entropy": 5.419814228855587, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 79, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a79fcbff610d3ededfb0401fdc5c81fc", "path_pattern_hash": "18ea0213c0d23e39dd8461c4478348f1" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 43 }, "payload_preview": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "request_sample": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "evidence": { "request_sample": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ddos" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5865b758d7e5eddbe36994f14c5e97a8ec7577e3", "protocol_details": { "payload_preview": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab syn_flood \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 via HDFS NAMENODE", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 79, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "syn flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/docker\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /stage/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Requête brute (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; en-us) AppleWebKit/413 (KHTML, like Gecko) Safari/413 es65 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 219, "payload_entropy": 5.3927860638203455, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b3b93b20cf13db09bb68b16a4ac36d26", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like ", "request_sample": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es65\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "evidence": { "request_sample": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413 es65\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a98812cda5b46d0be5b421db809432d882645ea", "protocol_details": { "payload_preview": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; en-us) AppleWebKit\/413 (KHTML, like", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��M�W�O�%(�R�2�b/��1n+�h?�C� ��}{��x�u��Q�I$_x-屮�g4�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��M�W�O�%(�R�2�b/��1n+�h?�C� ��}{��x�u��Q�I$_x-屮�g4�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��M�W�O�%(�R�2�b/��1n+�h?�C� ��}{��x�u��Q�I$_x-屮�g4�&�+�/�,�0̨̩� �� /5� w �+3&$ �H��P�q��%��i�ZYGWl��yyә� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.949052654937834, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0521fe4623fffe52a63673bcb242bca6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdM\ufffd\u0018W\ufffd\u0016O\u0012\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x\u0010-\ufa3c\ufffd\u0007\u0004g4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdM\ufffd\u0018W\ufffd\u0016O\u0012\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x\u0010-\ufa3c\ufffd\u0007\u0004g4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdH\ufffd\ufffdP\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\ufffdi\ufffdZYGWl\u0016\ufffd\ufffdyy\u04d9\ufffd\u0006", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdM\ufffd\u0018W\ufffd\u0016O\u0012\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x\u0010-\ufa3c\ufffd\u0007\u0004g4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e12dad9cabafb1017d4aed173f1ad299dbf34e5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdM\ufffd\u0018W\ufffd\u0016O\u0012\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x\u0010-\ufa3c\ufffd\u0007\u0004g4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdM\ufffdW\ufffdO\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x-\ufa3c\ufffdg4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdM\ufffd\u0018W\ufffd\u0016O\u0012\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x\u0010-\ufa3c\ufffd\u0007\u0004g4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdM\ufffdW\ufffdO\ufffd%(\ufffdR\ufffd2\ufffdb\/\ufffd\ufffd\ufffd1n+\ufffdh?\ufffdC\ufffd \ufffd\ufffd\ufffd\ufffd}{\ufffd\ufffdx\ufffdu\ufffd\ufffd\ufffdQ\ufffdI$_x-\ufa3c\ufffdg4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��򼛴q��P�v�㧳8�-�(�E��8a$e6�o 5��b��8��h��[>�u؜�(�[܁^�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��򼛴q��P�v�㧳8�-�(�E��8a$e6�o 5��b��8��h��[>�u؜�(�[܁^�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��򼛴q��P�v�㧳8�-�(�E��8a$e6�o 5��b��8��h��[>�u؜�(�[܁^�&�+�/�,�0̨̩� �� /5� w �+3&$ g��ˌF�\|@�� f�}�""v�?�P~p.g�4 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.869317065472066, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "534c736160765e8c1180737648903818", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$\u001fe6\ufffdo 5\u0000\ufffd\ufffdb\ufffd\ufffd8\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u0002h\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$\u001fe6\ufffdo 5\u0000\ufffd\ufffdb\ufffd\ufffd8\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u0002h\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\ufffd\ufffd\u02ccF\ufffd\|@\ufffd\ufffd\ufffd f\ufffd}\ufffd\"\"v\u0000\ufffd\u0012?\ufffdP~p.g\ufffd4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$\u001fe6\ufffdo 5\u0000\ufffd\ufffdb\ufffd\ufffd8\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u0002h\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3bc9266b4fae26f42b3ce03ad78d0aff0f5ea3c9", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$\u001fe6\ufffdo 5\u0000\ufffd\ufffdb\ufffd\ufffd8\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u0002h\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$e6\ufffdo 5\ufffd\ufffdb\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$\u001fe6\ufffdo 5\u0000\ufffd\ufffdb\ufffd\ufffd8\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\u0002h\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\udab1\udef4q\ufffd\ufffd\ufffdP\ufffdv\ufffd\u39f38\ufffd-\ufffd(\ufffdE\ufffd\ufffd8a$e6\ufffdo 5\ufffd\ufffdb\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd[>\ufffdu\u061c\ufffd(\ufffd[\u0701^\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload �� e;.�%O��0^ǳ��X��r��A�:�� J �yCcL�a��ߐ�5�)A>R��S$!��3��M&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��e;.�%O��0^ǳ��X��r��A�:�� J �yCcL�a��ߐ�5�)A>R��S$!��3��M&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� e;.�%O��0^ǳ��X��r��A�:�� J �yCcL�a��ߐ�5�)A>R��S$!��3��M&�+�/�,�0̨̩� �� /5� w �+3&$ �j^6Y\|�t�44��)z��;#��5�8 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.878688564568511, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c51db731dc7fdc075a907691b7e58818", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\fe;.\ufffd\u0005%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdy\u0015CcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\u0003\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\fe;.\ufffd\u0005%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdy\u0015CcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\u0003\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdj^6Y\|\ufffdt\ufffd4\u001f\u0002\u00074\ufffd\u0007\ufffd\ufffd\ufffd\ufffd)z\ufffd\ufffd;#\ufffd\ufffd5\ufffd8", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\fe;.\ufffd\u0005%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdy\u0015CcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\u0003\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b96919f6c663ed6aa224c031db8cc21abdb7ea6e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\fe;.\ufffd\u0005%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdy\u0015CcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\u0003\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffde;.\ufffd%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdyCcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\fe;.\ufffd\u0005%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdy\u0015CcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\u0003\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffde*;.\ufffd%O\ufffd\ufffd\ufffd0^\u01f3\ufffd\ufffd\ufffdX\ufffd\ufffdr\ufffd\ufffdA\ufffd:\ufffd\ufffd\rJ \ufffdyCcL\ufffda\ufffd\ufffd\u07d0\ufffd5\ufffd)A>R\ufffd\ufffdS$!\ufffd\ufffd3\ufffd\ufffd\ufffdM&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��{DTR��P��-��I�R��0�[ q�E�( ?Q��[5�.Gs��%��I�0?0��~�<�:�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��{DTR��P��-��I�R��0�[q�E�( ?Q��[5�.Gs��%��I�0?0��~�<�:�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��{DTR��P��-��I�R��0�[ q�E�( ?Q��[5�.Gs��%��I�0?0��~�<�:�&�+�/�,�0̨̩� �� /5� w �+3&$ ��ة�&k�Ek��2��S��?b~�ĭ~J Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.783713001873339, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b44cb365c9beb427029e6373618866e3", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\u0016DTR\ufffd\ufffd\u0014\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[\fq\u0018\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.G\u0015s\u0000\ufffd\ufffd%\ufffd\ufffdI\ufffd0?\u00060\ufffd\ufffd~\ufffd\u0002<\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\u0016DTR\ufffd\ufffd\u0014\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[\fq\u0018\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.G\u0015s\u0000\ufffd\ufffd%\ufffd\ufffdI\ufffd0?\u00060\ufffd\ufffd~\ufffd\u0002<\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0629\ufffd&k\ufffdEk\ufffd\ufffd2\ufffd\ufffd\u0002\ufffd\ufffdS\ufffd\ufffd\ufffd?b~\ufffd\u0019\u0013\u012d~J", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\u0016DTR\ufffd\ufffd\u0014\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[\fq\u0018\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.G\u0015s\u0000\ufffd\ufffd%\ufffd\ufffdI\ufffd0?\u00060\ufffd\ufffd~\ufffd\u0002<\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce826093da3182a8b413604e00bc6057ea2f043b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\u0016DTR\ufffd\ufffd\u0014\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[\fq\u0018\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.G\u0015s\u0000\ufffd\ufffd%\ufffd\ufffdI\ufffd0?\u00060\ufffd\ufffd~\ufffd\u0002<\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd{DTR\ufffd\ufffd\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[q\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.Gs\ufffd\ufffd%\ufffd\ufffdI\ufffd0?0\ufffd\ufffd~\ufffd<\ufffd:\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\u0016DTR\ufffd\ufffd\u0014\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[\fq\u0018\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.G\u0015s\u0000\ufffd\ufffd%\ufffd\ufffdI\ufffd0?\u00060\ufffd\ufffd~\ufffd\u0002<\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd{DTR\ufffd\ufffd\ufffdP\ufffd\ufffd-\ufffd\ufffd\ufffdI\ufffdR\ufffd\ufffd0\ufffd[q\ufffdE\ufffd( ?Q\ufffd\ufffd[5\ufffd.Gs\ufffd\ufffd%\ufffd\ufffdI\ufffd0?0\ufffd\ufffd~\ufffd<\ufffd:\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��u��q�z =�.= �� [i8P��y�� <��:g�=4KI��'�"��X�c��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��u��q�z =�.=�� [i8P��y�� <��:g�=4KI��'�"��X�c��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��u��q�z =�.= �� [i8P��y�� <��:g�=4KI��'�"��X�c��&�+�/�,�0̨̩� �� /5� w �+3&$ �va��bE�D��č��I�Y#��7L Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.850997977088605, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "47058e31dab8a2cd98aa844b25cd734d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd\u001f\u001b.=\u000b\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4\u0017KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd\u001f\u001b.=\u000b\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4\u0017KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0019\ufffdva\ufffd\u0017\ufffd\ufffd\ufffdb\u0013\u0001E\ufffdD\ufffd\ufffd\u010d\ufffd\ufffdI\ufffdY#\ufffd\u0004\ufffd\u00017\u0000L", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd\u001f\u001b.=\u000b\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4\u0017KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4051b0c1fe3c485aa05f0e64277dc9047ab1bf9f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd\u001f\u001b.=\u000b\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4\u0017KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd.=\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd\u001f\u001b.=\u000b\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4\u0017KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffdq\ufffdz =\ufffd.=\ufffd\ufffd\t[i8P\ufffd\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd\ufffd:g\ufffd=4KI\ufffd\ufffd\ufffd'\ufffd\"\ufffd\ufffd\ufffdX\ufffdc\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��?�ц� Ӆ��m�S��:�A Ez�?�Gc8��6{�^6oG�y��X9q6��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��?�ц�Ӆ��m�S��:�A Ez�?�Gc8��6{�^6oG�y��X9q6��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��?�ц� Ӆ��m�S��:�A Ez�?�Gc8��6{�^6oG�y��X9q6��&�+�/�,�0̨̩� �� /5� w �+3&$ 6!�XFQQ�6I�C�I�D�Ч��'�8�M�L Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.818268699115038, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f3346b7371a1d5dc6588a3579e5bdadd9ec7851b", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "344d4f7b821b92c0ad9827ea3f7381b4", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\ufffd\u0446\ufffd\f\u04c5\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdm\u0017\ufffdS\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011:\ufffdA Ez\ufffd?\ufffdG\u0007c8\ufffd\u0011\ufffd\ufffd6{\ufffd\u0014^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\ufffd\u0446\ufffd\f\u04c5\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdm\u0017\ufffdS\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011:\ufffdA Ez\ufffd?\ufffdG\u0007c8\ufffd\u0011\ufffd\ufffd6{\ufffd\u0014^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 6\u0002!\ufffdXFQ\u0000Q\ufffd6I\ufffdC\ufffdI\ufffdD\ufffd\u0427\ufffd\ufffd\u0010\ufffd'\ufffd8\ufffdM\ufffdL", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\ufffd\u0446\ufffd\f\u04c5\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdm\u0017\ufffdS\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011:\ufffdA Ez\ufffd?\ufffdG\u0007c8\ufffd\u0011\ufffd\ufffd6{\ufffd\u0014^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "749d3684561bf90c7bdc6807253c067fd288bec9", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\ufffd\u0446\ufffd\f\u04c5\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdm\u0017\ufffdS\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011:\ufffdA Ez\ufffd?\ufffdG\u0007c8\ufffd\u0011\ufffd\ufffd6{\ufffd\u0014^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd?\ufffd\u0446\ufffd\u04c5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdA Ez\ufffd?\ufffdGc8\ufffd\ufffd\ufffd6{\ufffd^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\ufffd\u0446\ufffd\f\u04c5\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdm\u0017\ufffdS\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011:\ufffdA Ez\ufffd?\ufffdG\u0007c8\ufffd\u0011\ufffd\ufffd6{\ufffd\u0014^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd?\ufffd\u0446\ufffd\u04c5\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffdS\ufffd\ufffd\ufffd\ufffd\ufffd:\ufffdA Ez\ufffd?\ufffdGc8\ufffd\ufffd\ufffd6{\ufffd^6oG\ufffdy\ufffd\ufffd\ufffdX9q6\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��̹�#G1�]�ߋ+U�s�NGm$\��%8�F �!�;x�A/ѧȏ��j�ȸ� p��U�z1&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��̹�#G1�]�ߋ+U�s�NGm$\��%8�F �!�;x�A/ѧȏ��j�ȸ� p��U�z1&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��̹�#G1�]�ߋ+U�s�NGm$\��%8�F �!�;x�A/ѧȏ��j�ȸ� p��U�z1&�+�/�,�0̨̩� �� /5� w �+3&$ 6�E�lP��2�t"��c��L�Lzl Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.7987335272736, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f3346b7371a1d5dc6588a3579e5bdadd9ec7851b", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "62490f21a0892ee7f597b14f3090ee67", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\ufffd\u001d\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd\u0006!\ufffd;x\ufffd\u001dA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\u0002\rp\ufffd\ufffdU\ufffd\u0012z1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\ufffd\u001d\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd\u0006!\ufffd;x\ufffd\u001dA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\u0002\rp\ufffd\ufffdU\ufffd\u0012z1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u00166\u001c\ufffd\u0016E\ufffdlP\ufffd\u0004\u0003\ufffd\u001e2\ufffd\u0001t\u0018\"\ufffd\ufffdc\ufffd\ufffdL\ufffdL\u001azl", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\ufffd\u001d\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd\u0006!\ufffd;x\ufffd\u001dA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\u0002\rp\ufffd\ufffdU\ufffd\u0012z1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c76046ed5b8c9561661f529e205507f351d8affe", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\ufffd\u001d\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd\u0006!\ufffd;x\ufffd\u001dA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\u0002\rp\ufffd\ufffdU\ufffd\u0012z1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\ufffd\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd!\ufffd;x\ufffdA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\rp\ufffd\ufffdU\ufffdz1&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001e\ufffd\u001d\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd\u0006!\ufffd;x\ufffd\u001dA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\u0002\rp\ufffd\ufffdU\ufffd\u0012z1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\u0339\ufffd#G1\ufffd]\ufffd\u07cb+U\ufffds\ufffdNGm$\\\ufffd\ufffd\ufffd%8\ufffdF \ufffd!\ufffd;x\ufffdA\/\u0467\u020f\ufffd\ufffdj\ufffd\u0238\ufffd\rp\ufffd\ufffdU\ufffdz1&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe net_hdfs_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.test HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/Gul Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/Gul Requête brute (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/GulperBot) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 204, "payload_entropy": 5.245285522349289, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8f630f9fdbf5dadcefe721f7fd077ae9a573fa2f", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "64f49f75f154321a5d6cffdcfadd9709", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 34 }, "payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/GulperBot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "evidence": { "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/GulperBot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fdaf772d028ce544cc1b7720baedda954e2bbc0c", "protocol_details": { "payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/Gul", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.txt HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607.2.6 ( Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.txt HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607.2.6 ( Requête brute (extrait) GET /.env.txt HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/607.2.6 (KHTML, like Gecko) Version/12.1.1 Safari/607.2.6 Maxthon/5.1.132 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 261, "payload_entropy": 5.371232923679616, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0b30305c66c18a412e1ca0f96b26258e", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "request_sample": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 Maxthon\/5.1.132\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "evidence": { "request_sample": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (KHTML, like Gecko) Version\/12.1.1 Safari\/607.2.6 Maxthon\/5.1.132\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f0e8b48f6d8fcc56a2bde1d45cb6871780dc2572", "protocol_details": { "payload_preview": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/607.2.6 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.template HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/537.3 Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.template HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/537.3 Requête brute (extrait) GET /.env.template HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 260, "payload_entropy": 5.413669439912577, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "85c3ab41bde7d1be258772ff5bf40fd4", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8a7f1284cfc5c8a83584f82ec22728110b6ad25e", "protocol_details": { "payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-X210CMR) AppleWebKit\/537.3", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.testing HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021001 Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.testing HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021001 Requête brute (extrait) GET /.env.testing HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021001 Phoenix/0.2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 209, "payload_entropy": 5.247208267688645, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9de988e959253f06b48e41b22709ac43", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "request_sample": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001 Phoenix\/0.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "evidence": { "request_sample": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001 Phoenix\/0.2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e586c59771fa51c8ce9c7af850daa564e654631", "protocol_details": { "payload_preview": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.testing HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko\/20021001", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.orig HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 ( Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.orig HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 ( Requête brute (extrait) GET /.env.orig HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 OPR/28.0.1750.51 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 267, "payload_entropy": 5.415508567041429, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1382a2e48f8a44ad4228e4a5a0ec5e01", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "request_sample": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.118 Safari\/537.36 OPR\/28.0.1750.51\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "evidence": { "request_sample": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.118 Safari\/537.36 OPR\/28.0.1750.51\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac21b6f06fce0d9ec78d95af7b9bd2826183e8c6", "protocol_details": { "payload_preview": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit\/537.36 (", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.demo HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 243, "payload_entropy": 5.406253489100994, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "70bd44f503b3f77df43c36b6e1d590b4", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, ", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e974baad425e0b7c70d4da8b34745f460d8e2106", "protocol_details": { "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi Requête brute (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 269, "payload_entropy": 5.344021590977133, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6c0254f4537eaa8969546f5ca48ead95", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "evidence": { "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fb3b08ffd6462aecc0ba399fe0f17b177348c15", "protocol_details": { "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKi", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��fϷ�[�D��k�lk�C՘ȲO:��N�v~x � i��R�`1d�ݩ&��eZNV)��8&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��fϷ�[�D��k�lk�C՘ȲO:��N�v~x � i��R�`1d�ݩ&��eZNV)��8&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��fϷ�[�D��k�lk�C՘ȲO:��N�v~x � i��R�`1d�ݩ&��eZNV)��8&�+�/�,�0̨̩� �� /5� w �+3&$ ړ^��KA��b9��"��x�� : Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.852183830227322, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f20e4189ca905b249c4c3e5d59033fb6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\u03f7\ufffd[\ufffdD\ufffd\ufffd\u0017k\ufffdlk\ufffdC\u0558\u0232O\u0016:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1\u001dd\ufffd\u0769\u0005&\b\ufffd\ufffd\ufffd\u000f\ufffdeZN\u0012V)\ufffd\u0015\ufffd8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\u03f7\ufffd[\ufffdD\ufffd\ufffd\u0017k\ufffdlk\ufffdC\u0558\u0232O\u0016:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1\u001dd\ufffd\u0769\u0005&\b\ufffd\ufffd\ufffd\u000f\ufffdeZN\u0012V)\ufffd\u0015\ufffd8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0693^\ufffd\ufffdKA\u0016\ufffd\ufffdb9\ufffd\ufffd\ufffd\ufffd\"\ufffd\ufffd\u0005\ufffd\ufffd\u0000x\ufffd\ufffd\ufffd\f\ufffd:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\u03f7\ufffd[\ufffdD\ufffd\ufffd\u0017k\ufffdlk\ufffdC\u0558\u0232O\u0016:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1\u001dd\ufffd\u0769\u0005&\b\ufffd\ufffd\ufffd\u000f\ufffdeZN\u0012V)\ufffd\u0015\ufffd8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7cfd31d5ca81a28a63dc3abaad1d3cdfb5f2ea41", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\u03f7\ufffd[\ufffdD\ufffd\ufffd\u0017k\ufffdlk\ufffdC\u0558\u0232O\u0016:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1\u001dd\ufffd\u0769\u0005&\b\ufffd\ufffd\ufffd\u000f\ufffdeZN\u0012V)\ufffd\u0015\ufffd8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffdf\u03f7\ufffd[\ufffdD\ufffd\ufffdk\ufffdlk\ufffdC\u0558\u0232O:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1d\ufffd\u0769&\ufffd\ufffd\ufffd\ufffdeZNV)\ufffd\ufffd8&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003f\u03f7\ufffd[\ufffdD\ufffd\ufffd\u0017k\ufffdlk\ufffdC\u0558\u0232O\u0016:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1\u001dd\ufffd\u0769\u0005&\b\ufffd\ufffd\ufffd\u000f\ufffdeZN\u0012V)\ufffd\u0015\ufffd8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdf\u03f7\ufffd[\ufffdD\ufffd\ufffdk\ufffdlk\ufffdC\u0558\u0232O:\ufffd\ufffd\ufffdN\ufffdv~x \ufffd\ni\ufffd\ufffdR\ufffd`1d\ufffd\u0769&\ufffd\ufffd\ufffd\ufffdeZNV)\ufffd\ufffd8&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	hdfs probe hdfs probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 37
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET /.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Pourquoi cette classification : Type « hdfs_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 37 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.2.516 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 270, "payload_entropy": 5.436596164790335, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 37, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f71847e9222aa2fcc9d406536e64388dc43eed03", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1bb019769930dcaafcd1137806caaf56", "path_pattern_hash": "504871b8907d47c47e0e5eef0ff043b4" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 37 }, "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like ", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 YaBrowser\/19.7.2.516 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3827fdb63ea835fe15b842180ee062f206d9d4e0", "protocol_details": { "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab hdfs_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 37\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 37 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 37, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "hdfs probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_hdfs_probe" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��2�o�%��X6yO6UX��%��楔:�%3 X�)0]��q��Km��ݦ}�aZ�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��2�o�%��X6yO6UX��%��楔:�%3 X�)0]��q��Km��ݦ}�aZ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��2�o�%��X6yO6UX��%��楔:�%3 X�)0]��q��Km��ݦ}�aZ�&�+�/�,�0̨̩� �� /5� w �+3&$ 18�j��S��J��19ف��WV��wY Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.8072406910274115, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "953ebcc87f0ec08bf6a3fdb9da317380", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd2\ufffdo\ufffd%\ufffd\u0002\ufffdX6\u0004yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3\u0011 X\ufffd)0\u0012]\ufffd\ufffdq\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdKm\u001f\ufffd\ufffd\u0766\u001c}\ufffdaZ\u0001\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd2\ufffdo\ufffd%\ufffd\u0002\ufffdX6\u0004yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3\u0011 X\ufffd)0\u0012]\ufffd\ufffdq\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdKm\u001f\ufffd\ufffd\u0766\u001c}\ufffdaZ\u0001\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 1\u001c8\ufffdj\ufffd\ufffd\u000e\u0001\ufffd\ufffdS\ufffd\ufffdJ\ufffd\ufffd\ufffd19\u0641\ufffd\ufffdWV\ufffd\ufffd\ufffdwY", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd2\ufffdo\ufffd%\ufffd\u0002\ufffdX6\u0004yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3\u0011 X\ufffd)0\u0012]\ufffd\ufffdq\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdKm\u001f\ufffd\ufffd\u0766\u001c}\ufffdaZ\u0001\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "917b4d94b3136c740a0af6826f7501497502e3a3", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd2\ufffdo\ufffd%\ufffd\u0002\ufffdX6\u0004yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3\u0011 X\ufffd)0\u0012]\ufffd\ufffdq\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdKm\u001f\ufffd\ufffd\u0766\u001c}\ufffdaZ\u0001\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\ufffd2\ufffdo\ufffd%\ufffd\ufffdX6yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3 X\ufffd)0]\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdKm\ufffd\ufffd\u0766}\ufffdaZ\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd2\ufffdo\ufffd%\ufffd\u0002\ufffdX6\u0004yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3\u0011 X\ufffd)0\u0012]\ufffd\ufffdq\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\ufffdKm\u001f\ufffd\ufffd\u0766\u001c}\ufffdaZ\u0001\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd2\ufffdo\ufffd%\ufffd\ufffdX6yO6UX\ufffd\ufffd%\ufffd\ufffd\ufffd\u6954:\ufffd%3 X\ufffd)0]\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdKm\ufffd\ufffd\u0766}\ufffdaZ*\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 18:05:30 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Sonde PostgreSQL postgres probe · via HDFS NAMENODE:8020 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HDFS-NAMENODE WAF — Recommandation Surveiller Tags hdfs_namenode_emulated hdfs_namenode_payload net_hdfs_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload ��Ӂ��\|k��]W��:m9��o��# �b��q��J!Yk�{D��3�`p�D�L5o�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ӂ��\|k��]W��:m9��o��# �b��q��J!Yk�{D��3�`p�D�L5o�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ӂ��\|k��]W��:m9��o��# �b��q��J!Yk�{D��3�`p�D�L5o�&�+�/�,�0̨̩� �� /5� w �+3&$ B6�� ݯ�� ;yHo��3U�e�A Y_ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 239, "payload_entropy": 5.845784207180861, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "KR", "dst_port": 8020, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "288e3a0d535a04570116c1bb0bb7e2aadd0dfed0", "event_fingerprint": "f86f2f8585eddb17139e72dd9eb2eb48cccd1028", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e747bd001ab05c27a3a6a6aaf213c9a4", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u04c1\u000e\ufffd\u0011\ufffd\u0003\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\u0011\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Y\u001fk\ufffd{D\ufffd\u0003\u001e\ufffd3\ufffd`p\ufffd\u001fD\ufffdL5o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u04c1\u000e\ufffd\u0011\ufffd\u0003\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\u0011\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Y\u001fk\ufffd{D\ufffd\u0003\u001e\ufffd3\ufffd`p\ufffd\u001fD\ufffdL5o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \nB6\ufffd\ufffd\u000b\ufffd\u076f\ufffd\ufffd\n\ufffd\u0011;yHo\ufffd\ufffd\ufffd\ufffd3U\ufffde\ufffdA Y\u001f_", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u04c1\u000e\ufffd\u0011\ufffd\u0003\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\u0011\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Y\u001fk\ufffd{D\ufffd\u0003\u001e\ufffd3\ufffd`p\ufffd\u001fD\ufffdL5o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34e76ef1b546142d8cef8babae932a0831fede2c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u04c1\u000e\ufffd\u0011\ufffd\u0003\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\u0011\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Y\u001fk\ufffd{D\ufffd\u0003\u001e\ufffd3\ufffd`p\ufffd\u001fD\ufffdL5o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u04c1\ufffd\ufffd\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Yk\ufffd{D\ufffd\ufffd3\ufffd`p\ufffdD\ufffdL5o\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u04c1\u000e\ufffd\u0011\ufffd\u0003\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\u0011\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Y\u001fk\ufffd{D\ufffd\u0003\u001e\ufffd3\ufffd`p\ufffd\u001fD\ufffdL5o\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "postgres probe \u00b7 via HDFS NAMENODE:8020 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u04c1\ufffd\ufffd\|k\ufffd\ufffd\ufffd]W\ufffd\ufffd:m9\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\ufffd# \ufffdb\ufffd\ufffdq\ufffd\ufffd\ufffdJ!Yk\ufffd{D\ufffd\ufffd3\ufffd`p\ufffdD\ufffdL5o\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "net_hdfs_probe", "tls_clienthello" ], "asn_dc_heuristic": true }

34.47.80.115

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence