Renseignement sur les menaces

Corée du Sud

34.50.60.131

FAI Google LLC Première vue 15/06/2026 12:49 UTC Dernière vue 15/06/2026 12:49 UTC Risque Élevé

Période analysée : 2026-05-19 → 2026-06-18

Activité suspecte — risque 54/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 75/100 Élevé

Première observation 15/06/2026 12:49 UTC

Dernière observation 15/06/2026 12:49 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 432 occurrences

Activité suspecte — risque 54/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 60 · Bonus corrélation +8 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.50.0.0/18 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

198.235.24.49 Sonde WebSphere 18/06/2026 19:11 UTC
147.185.132.210 Scanner web 18/06/2026 19:11 UTC
198.235.24.184 Sonde port 4911/TCP 18/06/2026 19:11 UTC
35.203.211.140 Scanner web 18/06/2026 19:09 UTC
35.222.165.200 couchdb probe 18/06/2026 19:08 UTC
162.216.149.58 Scanner web 18/06/2026 19:07 UTC
147.185.132.234 Scanner web 18/06/2026 19:07 UTC
205.210.31.210 Scanner web 18/06/2026 19:07 UTC

Événements (filtres)

854

Première observation

15/06/2026 12:49 UTC

Dernière observation

15/06/2026 12:49 UTC

Dernière activité (filtres)

15/06/2026 12:49 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 427 TLS TCP 427

HTTP

427

TLS

427

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 9900 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:9900 · (tentative d'exploit) · → /.vscode/settings.json

Détails protocole

Méthode: GET
Chemin: /.vscode/settings.json
User-Agent: iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca)

Aperçu payload

GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: iTunes/9.0.3 (Macintosh; U; Intel Mac OS X 10_6_2; en-ca

Port / service

9900 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 2 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 2/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /config/sendgrid.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.py UA Mozilla/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit/537.36 … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /config/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit/537 Requête brute (extrait) GET /config/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "8941f15f75e6faf17e50ac16b0b66d019ddd769d", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "c39a8449a6e4f2889aa8a56e74d7dff99a1b9759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.428786859343332, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c070fbfdc922d3ca5341e5ea21b34fc6f9d452f3", "event_fingerprint": "22a808daa00451c923ec9eae8792b5ad5fbaf431", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bee86261a2d2a418ab5d0ea08fe4165f", "payload_hash": "5ede8dc4fcdbf5b0574d762277e2dd16", "path_pattern_hash": "9abcee9f2bf7633ad04f7c379dbcfd85" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537", "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/config\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "40325fa6952d4db6a442e8478a26d0d10a06c548", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/53\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.py", "request_line": "GET \/config\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/53\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.py", "evidence_snippet": "GET \/config\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; RNE-L21) AppleWebKit\/537", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /sendgrid_config.py	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid_config.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid_config.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /sendgrid_config.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid_config.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid_config.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /sendgrid_config.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "py", "http_ua_hash": "f82f6bdde0703010485af715f69f70fb2457ffeb", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "a8a91d2a8a844789d248ad7ec78ac7f9ab48d8a3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.4648005143375515, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "61c6e29ef8a466582b76d4d5388732b10617f18d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4636206c01ccd6ef8c951048fdec3e40", "payload_hash": "ed42d5550c2babb8ec999e947687c632", "path_pattern_hash": "5188a9e48f153fb145fe03b080df78ed" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/sendgrid_config.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "request_sample": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/sendgrid_config.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "request_sample": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "013287e3573b74a9f3d97948d2401d39c047bbc1", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_config.py", "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_config.py", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid_config.py", "request_line": "GET \/sendgrid_config.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid_config.py", "evidence_snippet": "GET \/sendgrid_config.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /access.log	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /access.log UA BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 net_flood Cible HTTP GET /access.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /access.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /access.log HTTP/1.1` User-Agent BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0 Règles WAF nosqli-3 Payload (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 Ve Requête brute (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: BlackBerry9530/4.7.0.167 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/102 UP.Link/6.3.1.20.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "032aa236fb47322552122ab3c77885024df9b4f5", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "63438c908367e4f8041717ab279c4d967e15af99", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 226, "payload_entropy": 5.282792289487737, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c943a987590b922715ce6fc5ac444dc18443000e", "event_fingerprint": "3a640c32c701d57376cf0f54d6c45566db9c676f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0ebdb23e08a31acbd893000f0c621490", "payload_hash": "6dfae4e1d388d6748ee72ba709e437ec", "path_pattern_hash": "3185fcf0045ab357f9b5c65f6fd9ad4d" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Ve", "method": "GET", "path": "\/access.log", "user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/access.log HTTP\/1.1", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Ve", "evidence": { "method": "GET", "path": "\/access.log", "user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/access.log HTTP\/1.1", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Ve", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3c41fed29b60ccc88f20546386fbf5c19dd142a", "protocol_details": { "http_method": "GET", "http_path": "\/access.log", "request_line": "GET \/access.log HTTP\/1.1", "http_user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Ve", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/access.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/access.log", "request_line": "GET \/access.log HTTP\/1.1", "http_user_agent": "BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 VendorID\/102 UP.Link\/6.3.1.20.0", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/access.log", "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: BlackBerry9530\/4.7.0.167 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 Ve", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /debug.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /debug.log UA Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /debug.log HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1.15 ( Requête brute (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "dd06a0c1ad8e56e7477866bb3fb50d7471a4a58a", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "77d9f648329aebdef206c4b1d63546db6147ce3b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.4213018903701435, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1b9a0c05a2cfc2fd923f339ab5ac9cd46664df1d", "event_fingerprint": "4fce3c2b01c8afd31c5bfbda6980b6b3dc675f4a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "037da2fa9dc25106b45b54fc94b6d3d3", "payload_hash": "b7ac20088b956f15e768b7347879d867", "path_pattern_hash": "55839acef8bcadd99e7e1a1cdf75a15f" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (", "method": "GET", "path": "\/debug.log", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (", "evidence": { "method": "GET", "path": "\/debug.log", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4bb19e224d3ac67e389be5715f2ac9f798d5b760", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /server.log	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.log UA Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML,… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /server.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.log HTTP/1.1` User-Agent Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, lik Requête brute (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (MeeGo; NokiaN950-00/00) AppleWebKit/534.13 (KHTML, like Gecko) NokiaBrowser/8.5.0 Mobile Safari/534.13 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "24b8ae7e550e8f1fa3b279857f9041f923b8c173", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "437770240dcc724c5033b3c158c576b84dde4de1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.345017366801377, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "82ecb5372e821eb2b8e3249bf4bdfd488011f8b1", "event_fingerprint": "7d1f86ddc20027b5a797ae4483e63ed54b413b54", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8023f80db0137313b234a5b9a095d867", "payload_hash": "5c4b9b886db442696e19e90e29276a7f", "path_pattern_hash": "1bb66c038c973622f0056a763496f9ef" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, lik", "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, lik", "evidence": { "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, lik", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b7e3446bf9ba2c655cca5587aa530b0e114edc20", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, lik", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, like Gecko) NokiaBrowser\/8.5.0 Mobile Safari\/534.13", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (MeeGo; NokiaN950-00\/00) AppleWebKit\/534.13 (KHTML, lik", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /logs/debug.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/debug.log UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /logs/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /logs/debug.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537 Requête brute (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "5014d4114c4cbabd19d9fd2da5d287ad27a6f544", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "03e204e4d1092f0f3982669317d2eb101a33266b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.436876725146516, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8dc063c93bd17ad60bc64e2c742304fb05783fc9", "event_fingerprint": "0ef488a4d19915154373b24650c167410b0b617f", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b0ae87eff6920e57eb3c45e71d20538f", "payload_hash": "1b56244d0e3a403cc188f5151ea282bc", "path_pattern_hash": "2521db54cde5bdc17cc591777e55b15e" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537", "method": "GET", "path": "\/logs\/debug.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/debug.log HTTP\/1.1", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/logs\/debug.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/debug.log HTTP\/1.1", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "216b3b4c99820fa1a1910231571a6eef2c25e3ef", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/debug.log", "request_line": "GET \/logs\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/debug.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/debug.log", "request_line": "GET \/logs\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/debug.log", "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /app.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app.log UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.log HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605 Requête brute (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "2c3d6cd7a702b5127707ae7ec0c186833807d77c", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "bd1d5b79d00a082701f913befabe9ce3bb41a839", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.359655683640328, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3c3f481c089434bc30cb29b8c756a13207898245", "event_fingerprint": "0b40b5ebf1ec47b3d875c9360ed415085114395a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ed4b337d2a4f3c93a710ad41872b631", "payload_hash": "2ca3b5df387036180c9264a50c19c2ef", "path_pattern_hash": "705676047b0602f87a6c259c895bc0e9" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605", "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605", "evidence": { "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "537459ff6c0d52bdba0613e5c4356982b2ace95e", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0 Mobile\/15E\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit\/605", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /laravel.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /laravel.log UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /laravel.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /laravel.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /laravel.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /laravel.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET /laravel.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "13330a7d3aaee1569dd7ceebc04360c8b673fb08", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "5dd8c8bb33603d1ad2c91357a5bdf5e4a77e2fda", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.450705820875084, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1b9a0c05a2cfc2fd923f339ab5ac9cd46664df1d", "event_fingerprint": "e88a12904ae7f968864c6d8fb651da14b1969079", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8790bcb5c8899608c144ab0e4b52234f", "payload_hash": "05aa2bc50eb3e2880717e054e087f794", "path_pattern_hash": "e42ca631e5a6c090d1fddca82a4d1723" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/laravel.log", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/laravel.log HTTP\/1.1", "request_sample": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/laravel.log", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/laravel.log HTTP\/1.1", "request_sample": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db94e61705bf6918331b36bc692480a449342abc", "protocol_details": { "http_method": "GET", "http_path": "\/laravel.log", "request_line": "GET \/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/laravel.log", "request_line": "GET \/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel.log", "evidence_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Ge", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /src/sendgrid.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /src/sendgrid.py UA Mozilla/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /src/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /src/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /src/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /src/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit/537.36 (KH Requête brute (extrait) GET /src/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "f5ca42bc6f07f98343bb5458ad0eecc79214832f", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "1199ec6af8250c9d336ec91a467a574f2ae011ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.428474202300153, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "3c3fea3193a6b59bacf5a5386ea8c1ac5dee9cd7", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "11f6c02b9f0bcdd16f8412f124b41c9a", "payload_hash": "686caad0d00132419e425e5c21a64889", "path_pattern_hash": "1599bd71dd6b66802ca7702f410c4986" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/src\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/src\/sendgrid.py", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2723f519fef0590bb786b7e20d2006d1443ee575", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.py", "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.py", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/src\/sendgrid.py", "request_line": "GET \/src\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/src\/sendgrid.py", "evidence_snippet": "GET \/src\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ANE-LX3) AppleWebKit\/537.36 (KH", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /sendgrid-config.json	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid-config.json UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid-config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /sendgrid-config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid-config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (K Requête brute (extrait) GET /sendgrid-config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.5000 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "87ebac2b3cc7ed6ba4ee408a82877492dcfa5d2e", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "7d5ebcf94187fd12c4375ea09c6c54bd408b8303", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.418703363717494, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "f1cab54dd92ca0f6a9385a54d6212e025363353c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b05785e0cf1ecbcc64b771618a4d8e5e", "payload_hash": "12c662b3cc1f79bf1b2e76bb1ed6071a", "path_pattern_hash": "170a7f6ff312a524729718105c471f02" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/sendgrid-config.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "request_sample": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.5000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd559d34474ce45f03750a917fce04e272677641", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid-config.json", "request_line": "GET \/sendgrid-config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid-config.json", "evidence_snippet": "GET \/sendgrid-config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (K", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /application.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /application.log UA Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 (… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /application.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 Requête brute (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "d52ae5fd0587f0a8d63d73f658e4cfe1f696d2c4", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "194ffa296bf5bf546445bc77a4914a3c16983759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.386102423166379, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3c3f481c089434bc30cb29b8c756a13207898245", "event_fingerprint": "2536c0175a55342119bef9f48e96a53aa4951087", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "34d1b3e31734a3b6e2d4550317d88d1a", "payload_hash": "ba990657cf1376f371dccc9d564a050b", "path_pattern_hash": "162fef3d3c20397fd9e19a55bcddfa03" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 ", "method": "GET", "path": "\/application.log", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.log HTTP\/1.1", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/application.log", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.log HTTP\/1.1", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8a245c14bafe9d75b3fddd2fe581a5bd849feaa", "protocol_details": { "http_method": "GET", "http_path": "\/application.log", "request_line": "GET \/application.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application.log", "request_line": "GET \/application.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.log", "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-G930F) AppleWebKit\/537.36", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /logs/error.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/error.log UA Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /logs/error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /logs/error.log HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML like Gecko) Mobile/12A405 Version/7.0 Safari/9537.53 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600. Requête brute (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML like Gecko) Mobile/12A405 Version/7.0 Safari/9537.53 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "1509854c6277097889a195a0da43a8cb2a93947c", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "9d5f558e73ca716aa21e27c6081370ba7dda563b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.387525174322491, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "73c8149176c1678b824e3fc33976cf3a6d9b8676", "event_fingerprint": "3e89e21811341274f7ebb2a01ab1b60291e63a84", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "151ff1a06d5fe55b4c495056bd8e9e19", "payload_hash": "f2b77b0a37b9dd9d2912efbc4ba4d5e6", "path_pattern_hash": "11a7dc2316512e9b8311ac327e383bb9" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.", "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.1.4 (KHTML like Gecko) Mobile\/12A405 Version\/7.0 Safari\/9537.53", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.1.4 (KHTML like Gecko) Mobile\/12A405 Version\/7.0 Safari\/9537.53\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.", "evidence": { "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.1.4 (KHTML like Gecko) Mobile\/12A405 Version\/7.0 Safari\/9537.53", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.1.4 (KHTML like Gecko) Mobile\/12A405 Version\/7.0 Safari\/9537.53\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87510e14006ff046fceb54a66db76346d5797900", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.1.4 (KHTML like Gecko) Mobile\/12A405 Version\/7.0 Safari\/\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.1.4 (KHTML like Gecko) Mobile\/12A405 Version\/7.0 Safari\/\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 8_0_2 like Mac OS X) AppleWebKit\/600.", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /error.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /error.log UA Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleW… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /error.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit Requête brute (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.464.0 Safari/534.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "d733ed21837b2d81f996cc3263203a4984a5d5dc", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "4bf2a42fc3c47a9cd3c9f83a2dcc96b460ea695c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.381893126134932, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3c3f481c089434bc30cb29b8c756a13207898245", "event_fingerprint": "d6327a165aa3666faf5597abf95c48f463047a15", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2480ac48c699fcac58c2adf504f6f4a", "payload_hash": "b5e78ea746f46d4388919dd20fc704ce", "path_pattern_hash": "377fe372f5c11075aea15748100afc0d" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit", "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit", "evidence": { "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/534.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ff78f77255530c0fc252a0b4ca1fa71e640fee0d", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit\/534.3 (KHTML, like Gecko) Chrome\/6.0.464.0 Safari\/\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /.vscode/sftp.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/sftp.json UA Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/sftp.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.vscode/sftp.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/sftp.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100 Requête brute (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "8e2df75200b86f70dc1370a964b3b357f26370ca", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "a7b754a65cd3a72c45519ffad56ec4883c279ab1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.326496753243344, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "964bf44154bd26fde8fb124cf23edf80e0540da7", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3c2a951d6bfbd3aebc3ebea635b5531d", "payload_hash": "a14f8b53227ba011a0f8023a980ec871", "path_pattern_hash": "4379ee7559d68deac5f1bf414dd60187" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100", "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100101 Firefox\/20.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100101 Firefox\/20.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100", "evidence": { "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100101 Firefox\/20.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100101 Firefox\/20.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ca37f41578b62ab63b7593f2fd0b9bd8e10c0999", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100101 Firefox\/20.0", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100101 Firefox\/20.0", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko\/20100", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /config/sendgrid.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config/sendgrid.json UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/sendgrid.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /config/sendgrid.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config/sendgrid.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537. Requête brute (extrait) GET /config/sendgrid.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "b3d22f895da9c2c4215ef423052260fc316ffda8", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "6c93d1b9fbdf8e8d128caa00a09f6faf39a40791", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.411416077265813, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c070fbfdc922d3ca5341e5ea21b34fc6f9d452f3", "event_fingerprint": "4dff5c3913a674b1f1782ac9d8d939732b3e6ef2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d20b07ded14e724ade48f5e902451797", "payload_hash": "3b1dd43272c3cc3421f08d20d95a5dc7", "path_pattern_hash": "b3c041376e66dccb94b76d7207504df9" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.", "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/config\/sendgrid.json", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "request_sample": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a0ccda51d8c44195818a4769917e8dd72900d3e", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config\/sendgrid.json", "request_line": "GET \/config\/sendgrid.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config\/sendgrid.json", "evidence_snippet": "GET \/config\/sendgrid.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /sendgrid.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /sendgrid.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET /sendgrid.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "34f935d5ebb9c50f602b2232992973209a734f25", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "fe30445de825aa0bffca483abd821a9f6a87533d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.4553127087462, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "d801305adc54a62851e651b8f39b7e5634bb4a0d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8f45f599dd7b250f344f1d24874123f8", "payload_hash": "c57b3a3d8dc452163160ad7e47a12a47", "path_pattern_hash": "7777bc3cc4ee53dc76c001dce4e79fd5" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/sendgrid.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yml HTTP\/1.1", "request_sample": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "100dea2e782c5c4471eaf3d0de8c8fd65142003c", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yml", "request_line": "GET \/sendgrid.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yml", "evidence_snippet": "GET \/sendgrid.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /sendgrid.config.json	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.config.json UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /sendgrid.config.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.config.json HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/79.0.259819395 Mobile/16G77 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) Ap Requête brute (extrait) GET /sendgrid.config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/79.0.259819395 Mobile/16G77 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzi Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "acb41fe1ae0857b0bd3bcdc47e8f1b35ea8e759b", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "eeb189e33107611f717db38a6842e4ac40f53918", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 280, "payload_entropy": 5.421304608728124, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "be2264370aef30ca92b9e78206222ddbbefe266e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "74a4882ab5ea58bfd81ecf5cae966456", "payload_hash": "fc78e1e9259d8e57f26868aede79e27a", "path_pattern_hash": "d03aef47d2b763bc56a13f3ba838e778" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) Ap", "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/16G77 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/16G77 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) Ap", "evidence": { "method": "GET", "path": "\/sendgrid.config.json", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/16G77 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "request_sample": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobile\/16G77 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52bb05a5ce41abbcb68cb18b4541bd57feb6d153", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobi\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) Ap", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.config.json", "request_line": "GET \/sendgrid.config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) GSA\/79.0.259819395 Mobi\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.config.json", "evidence_snippet": "GET \/sendgrid.config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) Ap", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /sendgrid.yaml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.yaml UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /sendgrid.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "3618d876ea9547a658340e8c872dc682ad8b3a88", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "6ddb9259a81c5943f174c8762a08f320950440bd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.440999277783994, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "1ce7caf71511aaf8ed9be13be72f65f2bc942954", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "49c0dda580385ccc028bbf81a618f759", "payload_hash": "8f00ed09080ec4431267d64807010e33", "path_pattern_hash": "586d42da805584afffe4b06de4328fe7" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/sendgrid.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "request_sample": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5a70de3e36e87c3119b18a19770ad4822e873153", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.yaml", "request_line": "GET \/sendgrid.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.yaml", "evidence_snippet": "GET \/sendgrid.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /.buildkite/pipeline.yml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.buildkite/pipeline.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.buildkite/pipeline.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.buildkite/pipeline.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.buildkite/pipeline.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/ Requête brute (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "232de487a5195a98f978774b46e2001f8d9cfa57", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "4bafbac6a6a3a3e498ce6febcc708140823e7542", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.425468234153758, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "10c11ee5d80cd5ba773c8359494d005e55304d5f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "387a3384b51e274c5e0c623c1ee3ed61", "payload_hash": "c5ca836c7a5a0863f3b3479b8425c09d", "path_pattern_hash": "483e00e02486581ed9691d00f40bae15" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fe135435137a2fa5154e494c22fec58793c12562", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /trace.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /trace.log UA Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /trace.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /trace.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /trace.log HTTP/1.1` User-Agent Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Requête brute (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Opera/9.80 (Windows NT 5.1; U; zh-tw) Presto/2.8.131 Version/11.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "f5aa68ce0d176daced3e5603621b296b2ab1a7e7", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "0306f640cbfe7832e364cfa8aaa4495e8ef14f08", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 195, "payload_entropy": 5.1880650886070026, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3c3f481c089434bc30cb29b8c756a13207898245", "event_fingerprint": "66ee636e79f9b29cd843db24100a9335bf9497e8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "97f443d87205c2b6684b7ad10f42aec7", "payload_hash": "436a2b8b9774937fee9f52dea42c901a", "path_pattern_hash": "f8d80e9ce78cc8d6e0404ba95f5bd5a6" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\n", "method": "GET", "path": "\/trace.log", "user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "evidence": { "method": "GET", "path": "\/trace.log", "user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb0cef1f575c3b4464b3212781d875df6c84f927", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 5.1; U; zh-tw) Presto\/2.8.131 Version\/11.10", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /.htpasswd	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.htpasswd UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950522:leak-9 http_sensitive_path Cible HTTP GET /.htpasswd TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.htpasswd Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Apache htpasswd LFI Apache htpasswd Ligne de requête `GET /.htpasswd HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-9 Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htpasswd", "http_ua_hash": "f0ef525948398fdaff37378faf665e7660c56304", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "ade2de8d21551efb00f221b43821b4acb26b6f79", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.43475826702611, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9fbe255a90b1f28abe9fafd1c7a01b60a6107375", "event_fingerprint": "cd205809aaade70ec4d439bae6dc9af4aa7a3be2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0469", "pat-0108" ], "matched_pattern_names": [ "Cred Apache htpasswd", "LFI Apache htpasswd" ], "pattern_ids": [ "pat-0469", "pat-0108" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "426618f63dbe51cbd2c9dbd8a2621c93", "payload_hash": "807aac8e41caf059850b117fe0658339", "path_pattern_hash": "229c0a4c773f5f9eeec1d298c58088ee" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ef01ed3317a7b4843082fdddd75c75e9f92d7a09", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /logs/app.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/app.log UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /logs/app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /logs/app.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.3 Requête brute (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "0267e5a445e2c25d72a7f2ee2d0cac878c3747c6", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "d0b8b644029ba159087a417f2e8eafdc14fc0ddb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.405040811070003, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "73c8149176c1678b824e3fc33976cf3a6d9b8676", "event_fingerprint": "71f84bf646d7ed8b757bc0866406d42f6cac56c2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "364a2082aefdab822ac47f5798189768", "payload_hash": "51a9845ce6ae5260064f33b1e64c14c8", "path_pattern_hash": "1ee40b92eb3b65f75911cb662d7e1127" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3", "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a49d21a0e6d71516f616bcebb2e76f2507b6a94c", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.3", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /backend/sendgrid.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/sendgrid.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/sendgrid.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /backend/sendgrid.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/sendgrid.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /backend/sendgrid.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "996641f78ada5ff12803e09839c97ee755e0bc7d", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "9b3b3fd51ae018208ce4d96cbad2187f4475e746", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.466391281220274, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "738439ebe0845a6fe7ed4fbd15aa22950376c022", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1756293008967ecc9f3456953a631f41", "payload_hash": "cec6965341fd1083b54b7d274a00aa8a", "path_pattern_hash": "ecf29d1ed95b1fd215637cce0a9e7303" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/backend\/sendgrid.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "request_sample": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "000152f565cc058e5fb864125f2386d6b4ca4e8e", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/sendgrid.py", "request_line": "GET \/backend\/sendgrid.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/sendgrid.py", "evidence_snippet": "GET \/backend\/sendgrid.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /local-config.php	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /local-config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /local-config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /local-config.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /local-config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.102 Safari/537.36 Vivaldi/2.6.1566.44 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /local-config.php HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /local-config.php HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.102 Safari/537.36 Vivaldi/2.6.1566.44 Accept-Charset: utf-8 Accept-Encoding: gzip Connec Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "034b270daf1253bd074008b91f68599a49db88da", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "f971bf8f22fd021ef405c24b8881915ea7b1fbe0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.432140044288809, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "3d1038248b31ba750679d0ee68828278d1230da8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4124bc4bb309258b72fd9c578d405527", "payload_hash": "7939b212b45713552a0df1f7a0de714a", "path_pattern_hash": "00f0907ad6288d75ebc36cdda29800e8" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/local-config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.102 Safari\/537.36 Vivaldi\/2.6.1566.44", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/local-config.php HTTP\/1.1", "request_sample": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.102 Safari\/537.36 Vivaldi\/2.6.1566.44\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/local-config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.102 Safari\/537.36 Vivaldi\/2.6.1566.44", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/local-config.php HTTP\/1.1", "request_sample": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.102 Safari\/537.36 Vivaldi\/2.6.1566.44\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnec", "payload_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eba33ab7df9655a301239028c56085f55158c5bb", "protocol_details": { "http_method": "GET", "http_path": "\/local-config.php", "request_line": "GET \/local-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.102 Safari\/537.36 Viv\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/local-config.php", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/local-config.php", "request_line": "GET \/local-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.102 Safari\/537.36 Viv\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/local-config.php", "evidence_snippet": "GET \/local-config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /wp-config.php~	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php~ UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php~ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /wp-config.php~ Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php~ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php~ HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /wp-config.php~ HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php~", "http_ua_hash": "b69e2c055646bf42e2f0c628cd872d6c34edb137", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "863c7f3ef890e19c474d54faa2637f21aa61f24b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.429283896442937, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "4387dcbbcf6742470c462a1b7f5ee31f81d5576a", "event_fingerprint": "cca52bb6cbbe168bb71dca500b1b20058376dc5b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63ac453956c024317dd5cf94c0ac969b", "payload_hash": "7f314fd9add57e993d0e4a2d937613c5", "path_pattern_hash": "01859822ace956c1e8cfef788e43bcce" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/wp-config.php~", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php~ HTTP\/1.1", "request_sample": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ad466c0e77f53a9e72f8fc7563222548f06c565", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php~", "request_line": "GET \/wp-config.php~ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php~", "evidence_snippet": "GET \/wp-config.php~ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:9900 · (tentative d'exploit) · → /deploy/secrets.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /deploy/secrets.json UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_k8s_probe Cible HTTP GET /deploy/secrets.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /deploy/secrets.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux pat-0496 Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Secrets JSON file Ligne de requête `GET /deploy/secrets.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /deploy/secrets.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi Requête brute (extrait) GET /deploy/secrets.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "3a0043e82108c0b5a41059e51f9fea8faaabad79", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "60385d96f8574ab4bcb6af1ba09ecde50592baec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.407839616774768, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4bf12cc5e57f4da7447fb93105837548b2ea8ade", "event_fingerprint": "f2c751e959f5b755cd74c1317b9f1c5494a18565", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 135, "precision_signals": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0496" ], "matched_pattern_names": [ "Cred Secrets JSON file" ], "pattern_ids": [ "pat-0496" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5c2a2bb4de0f6dae117290e599653832", "payload_hash": "9d44b32a3e196356c6f1e2b7d8ba4435", "path_pattern_hash": "be3edf5651a95f93a63bb6eed77eea15" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi", "method": "GET", "path": "\/deploy\/secrets.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "request_sample": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi", "evidence": { "method": "GET", "path": "\/deploy\/secrets.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "request_sample": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8aed36eb6c271fd9e381d687265464c10ef8c9b4", "protocol_details": { "http_method": "GET", "http_path": "\/deploy\/secrets.json", "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi", "attack_vector": "credential file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/deploy\/secrets.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "pat-0496", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "pat-0496", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/deploy\/secrets.json", "request_line": "GET \/deploy\/secrets.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.80 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/deploy\/secrets.json", "evidence_snippet": "GET \/deploy\/secrets.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKi", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_k8s_probe", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /services/application.yml	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /services/application.yml UA Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.010; Profil… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /services/application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /services/application.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /services/application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.010; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.2 3gpp-gba Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /services/application.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.0 Requête brute (extrait) GET /services/application.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaC6-01/011.010; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.2 3gpp-gba Accept Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "569fc6ef46859c5e3874c5c9a05caaa213613428", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "55b6d2ef8836af67e6f27bf09e5982be1b55ff6c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 317, "payload_entropy": 5.433095576272799, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 68, "tag_count": 5, "anomaly_count": 0, "campaign_key": "fc108f8e1b46d9d3bfe10f1b709c812bd00d7723", "event_fingerprint": "6c735b5c29edffb3c696d653f00435ca724b5643", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63d68655b0c349afdc257e51d77a4715", "payload_hash": "6873ac41ce892483640d971d64272890", "path_pattern_hash": "427a79bd587af67e27894e14297375f5" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.0", "method": "GET", "path": "\/services\/application.yml", "user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/services\/application.yml HTTP\/1.1", "request_sample": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba\r\nAccept", "payload_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.0", "evidence": { "method": "GET", "path": "\/services\/application.yml", "user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/services\/application.yml HTTP\/1.1", "request_sample": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.2 3gpp-gba\r\nAccept", "payload_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d85c43574d8e2ae77185ff2b451cfc50dc31c25d", "protocol_details": { "http_method": "GET", "http_path": "\/services\/application.yml", "request_line": "GET \/services\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.0", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/application.yml", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/services\/application.yml", "request_line": "GET \/services\/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.010; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/services\/application.yml", "evidence_snippet": "GET \/services\/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaC6-01\/011.0", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /bootstrap/cache/config.php	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /bootstrap/cache/config.php UA Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /bootstrap/cache/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /bootstrap/cache/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /bootstrap/cache/config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 Requête brute (extrait) GET /bootstrap/cache/config.php HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "php", "http_ua_hash": "5c62382c707e3594f9b439b35099cfa8d48abbcf", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "bac3b02f1ce936e593505ba9114b968f810c00c8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.400084680959659, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "83af4764d90614a94c4b444ef57f93a2112b44e0", "event_fingerprint": "ecfd6fbfa48d5b587269472a0818bd2d00bd6add", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1aa9a3b607358d5fc8539c161a50040b", "payload_hash": "ba227e80d078f612e69af00ce1d9a848", "path_pattern_hash": "9823c90115688ca8a60aa1cefb3b4c36" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 ", "method": "GET", "path": "\/bootstrap\/cache\/config.php", "user_agent": "Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/bootstrap\/cache\/config.php", "user_agent": "Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "request_sample": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4f25c453200eb6c8e5afaec3e5813fc5d57f54df", "protocol_details": { "http_method": "GET", "http_path": "\/bootstrap\/cache\/config.php", "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bootstrap\/cache\/config.php", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bootstrap\/cache\/config.php", "request_line": "GET \/bootstrap\/cache\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bootstrap\/cache\/config.php", "evidence_snippet": "GET \/bootstrap\/cache\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /v1/config.json	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v1/config.json UA Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v1/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /v1/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v1/config.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /v1/config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /v1/config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "a53a7d6148a7ca32affa8032cf53c861f7776cd1", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "e1865ad3140924e10c86b3b0491226fecbd86d31", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 238, "payload_entropy": 5.4314540826757085, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2520b8a59de91c66ccfef08746fc13625184f712", "event_fingerprint": "c0c5d0d60c085c2f7c581e77c4c9cb29c68fc788", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3de0fb6043302afabeee48b7e117339b", "payload_hash": "4ecf89ed0dc0b7ff82f9c7ad75716dca", "path_pattern_hash": "4172adffd8adf564d7794f5ddcfe5fac" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/v1\/config.json", "user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v1\/config.json HTTP\/1.1", "request_sample": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/v1\/config.json", "user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v1\/config.json HTTP\/1.1", "request_sample": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9ad04958d9e145c5a4ed4beb20bcf3fd3000b53b", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/config.json", "request_line": "GET \/v1\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/config.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/config.json", "request_line": "GET \/v1\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/config.json", "evidence_snippet": "GET \/v1\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux armv7l) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /wp-config.php.old	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.php.old UA Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) … Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /wp-config.php.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0195 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 933111 Probe /wp-config.php Ligne de requête `GET /wp-config.php.old HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47 Requête brute (extrait) GET /wp-config.php.old HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "e8c7024aa0a1fde083832602708a21268842c09c", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "24c516a67db44cfad409a699aaddb7e13edd5983", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 279, "payload_entropy": 5.447140319405863, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 68, "tag_count": 8, "anomaly_count": 0, "campaign_key": "6fd9b696f3d422bceaa6e94eccbd6fcb04b3d263", "event_fingerprint": "da637ab1952d7bdf6849e7976eb0b141d5f6049f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0160", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4e806912151c12c6baafb6da3bab5ded", "payload_hash": "3c6f248c5cbdbcf344594a1ba3b97b17", "path_pattern_hash": "5fcd528564d98f34a98115294a2df668" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47", "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47", "evidence": { "method": "GET", "path": "\/wp-config.php.old", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.old HTTP\/1.1", "request_sample": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.83 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc1b54b5799272cbe8801c38f118110240a0d81b", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0195", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0195", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.old", "request_line": "GET \/wp-config.php.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47V) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.php.old", "evidence_snippet": "GET \/wp-config.php.old HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build\/LMY47", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /app/config/parameters.yml	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yml UA Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Ge… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /app/config/parameters.yml Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 52 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) MxBrowser/4.5.10.7000 Chrome/30.0.1551.0 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) MxBrowser/4.5.10.7000 Chrome/30.0.1551.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "bd8b75a0c83c610d9cfa26a365a1dd6fcfaf2c5c", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "cc8382c07ae1d99dcd8bb8a9e6a6c1ada2d7d586", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.38298994797358, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c8645a0b987fa6a1488206ae52d840117f8b33b7", "event_fingerprint": "640eb56de38f77969855cc2ee41c0021858c7192", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "511440155f5c669528115b563f989668", "payload_hash": "8aa0741bf243debbacf2169fc6b636de", "path_pattern_hash": "14e465936c1b9cf9455ba711f44752e2" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) MxBrowser\/4.5.10.7000 Chrome\/30.0.1551.0 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) MxBrowser\/4.5.10.7000 Chrome\/30.0.1551.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) MxBrowser\/4.5.10.7000 Chrome\/30.0.1551.0 Safari\/537.36", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) MxBrowser\/4.5.10.7000 Chrome\/30.0.1551.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHT", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c81f9d4e28c3c6a095d14f302be76ab6d001efe", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) MxBrowser\/4.5.10.7000 Chrome\/30.0.1551.0 Safari\/537\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) MxBrowser\/4.5.10.7000 Chrome\/30.0.1551.0 Safari\/537\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yml", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHT", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /app/config/parameters.yaml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config/parameters.yaml UA Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config/parameters.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /app/config/parameters.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config/parameters.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKi Requête brute (extrait) GET /app/config/parameters.yaml HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yaml", "http_ua_hash": "9f44694db042382b1894b9467bda9cec0203a128", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "83aab3d7a9203cac49bf41e0b5a1c79c704b2790", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.383396915888023, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "db986696395c0e4d2e0f4589af1b8323b4bd5539", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dfad63a0b311a8b1ad2a0387ee24907c", "payload_hash": "14d680ceaf37a5b245a943a24007449d", "path_pattern_hash": "8c6e5c3e505e4438940b3e0a90e2956a" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKi", "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKi", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yaml", "user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKi", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee78d4988ea468e473194f2b2882849514fc00ff", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKi", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yaml", "request_line": "GET \/app\/config\/parameters.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config\/parameters.yaml", "evidence_snippet": "GET \/app\/config\/parameters.yaml HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; Pixel 3) AppleWebKi", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /storage/logs/laravel.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /storage/logs/laravel.log UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /storage/logs/laravel.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /storage/logs/laravel.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Laravel log Ligne de requête `GET /storage/logs/laravel.log HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537. Requête brute (extrait) GET /storage/logs/laravel.log HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "log", "http_ua_hash": "8f29881d404c173b0bbf771ef3c83db42f1a0cf8", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "8fec6092b6d50f048de7f5341eb923ae4a4ab6d3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.403532112371906, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "807cbb5ce72679f89c986ccee8565f6cc92a8fe0", "event_fingerprint": "15c5106d9c6a29af04baf7a79131a55e4ee36114", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0124" ], "matched_pattern_names": [ "LFI Laravel log" ], "pattern_ids": [ "pat-0124" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a392c1883dd0dfa44ecd91fa04244309", "payload_hash": "f4201f8a3e02328389f0c229cfbc668d", "path_pattern_hash": "6f29914bb94c22caf991d0657dba887c" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.", "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/storage\/logs\/laravel.log", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "request_sample": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cf1ac7ad92e66e606f23daa41be5cf2724d4f81b", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/storage\/logs\/laravel.log", "request_line": "GET \/storage\/logs\/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/storage\/logs\/laravel.log", "evidence_snippet": "GET \/storage\/logs\/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /v2/config.json	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v2/config.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /v2/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 67 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v2/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /v2/config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K Requête brute (extrait) GET /v2/config.json HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "64c7efa230f463888dd965036327a5ae213b72d9", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "504546e13c6c46b821dc777793aed750fb706b7d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.429585265823293, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2520b8a59de91c66ccfef08746fc13625184f712", "event_fingerprint": "570b1a3463817f62bd04491085a28575c097dcea", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d6dfa487c202fa079fb77c219d152d2f", "payload_hash": "cfa32dd01b413013f4a1241983ab140b", "path_pattern_hash": "00362549a7b517b90a1400deaafa2985" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/v2\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v2\/config.json HTTP\/1.1", "request_sample": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/v2\/config.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/v2\/config.json HTTP\/1.1", "request_sample": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "255e418fb15ec3bf83a572c1ab3ce3b213692f8d", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/config.json", "request_line": "GET \/v2\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/config.json", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/config.json", "request_line": "GET \/v2\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/config.json", "evidence_snippet": "GET \/v2\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (K", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /settings/production.py	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /settings/production.py UA Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_settings Cible HTTP GET /settings/production.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /settings/production.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /settings/production.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Iceweasel/14.0.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 F Requête brute (extrait) GET /settings/production.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Iceweasel/14.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "1094b3ca5d5f98d9a97b3c6110f00b743945ab15", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "cc6b445184452f6e13afcdd1d02a9b366ff0376c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 227, "payload_entropy": 5.262613952172273, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "b64b81b9a0fc1ee6d142a4d55d4964714f8f0839", "event_fingerprint": "5cb568513361f697309b8aecb19e584c8549c3a1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c403fa8e6fdfe2347f4c6bd222515208", "payload_hash": "8e101a2da86f38d96a0715f937dae6e9", "path_pattern_hash": "c348ef618ef0bfa50ce56f012c84455f" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 F", "method": "GET", "path": "\/settings\/production.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 Firefox\/14.0.1 Iceweasel\/14.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/production.py HTTP\/1.1", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 Firefox\/14.0.1 Iceweasel\/14.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 F", "evidence": { "method": "GET", "path": "\/settings\/production.py", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 Firefox\/14.0.1 Iceweasel\/14.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/settings\/production.py HTTP\/1.1", "request_sample": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 Firefox\/14.0.1 Iceweasel\/14.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 F", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8bc8392ab055b463525faa9dee4432b460d3441e", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/production.py", "request_line": "GET \/settings\/production.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 Firefox\/14.0.1 Iceweasel\/14.0.1", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 F", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/production.py", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/settings\/production.py", "request_line": "GET \/settings\/production.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 Firefox\/14.0.1 Iceweasel\/14.0.1", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/settings\/production.py", "evidence_snippet": "GET \/settings\/production.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:14.0) Gecko\/20100101 F", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_settings", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /wp-config.bak	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /wp-config.bak UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_file_scan Cible HTTP GET /wp-config.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /wp-config.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /wp-config.bak HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537. Requête brute (extrait) GET /wp-config.bak HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "e6787b8d3a187a1be37edfc4fdc9e5da8e4861d4", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "d73217ca969ed03b12511b11b89b08b96130cc19", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.435997730409023, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c2e29e7d4a090ab8937133fb6435f69dbba2ad2d", "event_fingerprint": "fee3cbe0e93a7e7a688eb8f9559da6456b88d373", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 143, "precision_signals": [ "SIGMA-web-config-leak", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "86b6e6c53374b91205e624c6014811fc", "payload_hash": "82ae26a9072e73cfa0b4d58ee735cfd3", "path_pattern_hash": "513fb4daa4f4d1d20414ef0e31bb8617" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.", "method": "GET", "path": "\/wp-config.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/wp-config.bak HTTP\/1.1", "request_sample": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/wp-config.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/wp-config.bak HTTP\/1.1", "request_sample": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e31b742ebb7a232f356370a33f40400bb08eac4c", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.bak", "request_line": "GET \/wp-config.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.bak", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.bak", "request_line": "GET \/wp-config.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/wp-config.bak", "evidence_snippet": "GET \/wp-config.bak HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /private.key	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private.key UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /private.key TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /private.key Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private.key HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.49 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 Requête brute (extrait) GET /private.key HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.49 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "key", "http_ua_hash": "3e6e8fbfbb2fc8e4d9e44b508c85802f2f648e4e", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "778f1a2da806bd5e8dfbe960a44247fae7b2ad06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.4163585617700205, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "e72e2997709a3b20aa623a0240b7043681ad18da", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e925462f978a08b5db201cbaeebc73ea", "payload_hash": "f8c87fde9bc01dad6d91e5bd1bb75d67", "path_pattern_hash": "99d81cc4cfd81ec40e55a6efe29c670b" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "method": "GET", "path": "\/private.key", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.key HTTP\/1.1", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/private.key", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.key HTTP\/1.1", "request_sample": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "931b4b54887c71fd0db14615489d72a723e00673", "protocol_details": { "http_method": "GET", "http_path": "\/private.key", "request_line": "GET \/private.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.key", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private.key", "request_line": "GET \/private.key HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.49 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.key", "evidence_snippet": "GET \/private.key HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:9900 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9900 Chemin / cible — Service TLS Payload ��S�z��p��1;��FK��RN��P k�� p��_�8_s��S�A��L��^�K��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��S�z��p��1;��FK��RN��P k��p��_�8_s��S�A��L��^�K��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��S�z��p��1;��FK��RN��P k�� p��_�8_s��S�A��L��^�K��&�+�/�,�0̨̩� �� /5� w �+3&$ \>�t��L� :+��k�&� ��4�"E�Z�w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.83926675134985, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9bc6e9422076201846bf3268f1c965cbd91f8034", "event_fingerprint": "494c9f1d51d87e4e628444cc1ac6318d28c9083c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e61d094b44a41d486f82ed7121506919", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9900, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffdz\ufffd\u0002\u001e\ufffd\ufffd\ufffd\u0013\u0002\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdR\u0012N\ufffd\ufffdP k\u001b\ufffd\ufffd\fp\ufffd\u001e\ufffd_\ufffd8_s\ufffd\ufffdS\u0011\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffdz\ufffd\u0002\u001e\ufffd\ufffd\ufffd\u0013\u0002\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdR\u0012N\ufffd\ufffdP k\u001b\ufffd\ufffd\fp\ufffd\u001e\ufffd_\ufffd8_s\ufffd\ufffdS\u0011\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \\>\ufffdt\ufffd\ufffd\u0016\ufffdL\ufffd :+\ufffd\u0006\ufffdk\u0010\ufffd&\ufffd\n\ufffd\ufffd4\ufffd\"E\ufffdZ\ufffdw", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffdz\ufffd\u0002\u001e\ufffd\ufffd\ufffd\u0013\u0002\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdR\u0012N\ufffd\ufffdP k\u001b\ufffd\ufffd\fp\ufffd\u001e\ufffd_\ufffd8_s\ufffd\ufffdS\u0011\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "02f079bd27b70a6c4f8fe9f1d0dbe22593e0ae3a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffdz\ufffd\u0002\u001e\ufffd\ufffd\ufffd\u0013\u0002\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdR\u0012N\ufffd\ufffdP k\u001b\ufffd\ufffd\fp\ufffd\u001e\ufffd_\ufffd8_s\ufffd\ufffdS\u0011\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdS\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdRN\ufffd\ufffdP k\ufffd\ufffdp\ufffd\ufffd_\ufffd8_s\ufffd\ufffdS\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003S\ufffdz\ufffd\u0002\u001e\ufffd\ufffd\ufffd\u0013\u0002\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdR\u0012N\ufffd\ufffdP k\u001b\ufffd\ufffd\fp\ufffd\u001e\ufffd_\ufffd8_s\ufffd\ufffdS\u0011\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdS\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd1;\ufffd\ufffd\ufffd\ufffdFK\ufffd\ufffdRN\ufffd\ufffdP k\ufffd\ufffdp\ufffd\ufffd_\ufffd8_s\ufffd\ufffdS\ufffdA\ufffd\ufffdL\ufffd\ufffd\ufffd^\ufffdK\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /.bash_history	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.bash_history UA Mozilla/5.0 (Linux; Android 9; SM-G950U) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.bash_history TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.bash_history Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Bash history Ligne de requête `GET /.bash_history HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G950U) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.bash_history HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bash_history", "http_ua_hash": "64442b763cb58f4225633b8e3a30cb98c4d16c39", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "3740e867d7aba2aaaf44f99aaa36772f226b5d91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.441795084367226, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1ba5541c58240a8e37de2a1c7d1962a2cf5ce907", "event_fingerprint": "bd0712695e7a3d24a9e9b2b6eb0e845ab53189ed", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0109" ], "matched_pattern_names": [ "LFI Bash history" ], "pattern_ids": [ "pat-0109" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f83efd3f4dbb9c6b98d932320bef6878", "payload_hash": "9c9b30e638514400f8445e618839a370", "path_pattern_hash": "70ca8eb80ffbde2088a35c267977e4d4" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.bash_history", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.bash_history HTTP\/1.1", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.bash_history", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.bash_history HTTP\/1.1", "request_sample": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b84db0e7c3797e326f745d61d6bb8ab64b2c21aa", "protocol_details": { "http_method": "GET", "http_path": "\/.bash_history", "request_line": "GET \/.bash_history HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.bash_history", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.bash_history", "request_line": "GET \/.bash_history HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.bash_history", "evidence_snippet": "GET \/.bash_history HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G950U) AppleWebKit\/537.36 (KHT", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /.netrc	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.netrc UA Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.netrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.netrc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Netrc credentials Ligne de requête `GET /.netrc HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) A Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "netrc", "http_ua_hash": "d7c60473ca507d0f267a16bb2c90d1bcbbc70259", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "b7551dc22135c68ecee0a4d011ec4c0b7c771e06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.409688487808276, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "d30c6ef9de6df0de0365dc83aee97480461af16e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0482" ], "matched_pattern_names": [ "Cred Netrc credentials" ], "pattern_ids": [ "pat-0482" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1104c74dd435280ff2b2099a808bc6c8", "payload_hash": "99b1caab666ef8ca048e188e270a6666", "path_pattern_hash": "5fa317981ba713f7d39164540951d6bb" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) A", "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) A", "evidence": { "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) A", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c568d075260aab18ba67fd09bb32336d0ac65078", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) A", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) A", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:9900 · (tentative d'exploit) · → /.ssh/id_rsa	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/id_rsa UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.3… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_id_rsa Cible HTTP GET /.ssh/id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.ssh/id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde clé SSH / id_rsa · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-credential-file Http Id Rsa pat-0490 pat-0495 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH key in .ssh Cred SSH private key id_rsa Ligne de requête `GET /.ssh/id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 ( Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_rsa", "http_ua_hash": "db8d17a8037deeb666ae7780dd22b987a1507927", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "d951dfd854ab99392c126a2628ec52b85415a678", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.457907849982583, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "1d14813bab18118dabe97f8db17dccda36101def", "event_fingerprint": "a596c0fbc39362845412b0f52f9dc2de427fc638", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 393, "precision_signals": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0490", "pat-0495" ], "matched_pattern_names": [ "Cred SSH key in .ssh", "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0490", "pat-0495" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "55e79b0731b665179b078f6c2ca76344", "payload_hash": "bff718d748fa7ffde3fa399c1b09d2fe", "path_pattern_hash": "6eca2c923ad05fff3eba197c659999e2" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "27c8783d1c823f1c32548ce1760b165bb564b1f3", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (", "attack_vector": "credential file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "Http Id Rsa", "pat-0490", "pat-0495" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_id_rsa", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /config.js	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /config.js UA Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /config.js HTTP/1.1` User-Agent Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config.js HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 Requête brute (extrait) GET /config.js HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "ed47366bfc9b8df56d87969075d79b958a7bdaff", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "67b3179b286c960b4be84ff433764afe1a997eeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 195, "payload_entropy": 5.206769285227181, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "10208b38e05a0dcce4d0b438c59b2bafb4fb3c36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f018125e546bfcd299bb3338faaae062", "payload_hash": "f95445b8824276cd973d733deab43bcc", "path_pattern_hash": "0ad09149f0572f6cdaf5a224970ea0d2" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\r\n", "method": "GET", "path": "\/config.js", "user_agent": "Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "evidence": { "method": "GET", "path": "\/config.js", "user_agent": "Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config.js HTTP\/1.1", "request_sample": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "053b1b915dfd1df301cb8b98a68464525559206a", "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/config.js", "request_line": "GET \/config.js HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/config.js", "evidence_snippet": "GET \/config.js HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Opera\/9.80 (Windows NT 6.1; U; es-ES) Presto\/2.9.181 Version\/12.00", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /.gitconfig	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.gitconfig UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitconfig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /.gitconfig Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitconfig HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/73.0.3683.86 Chrome/73.0.3683.86 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/73.0.3683.86 Chrome/73.0.3683.86 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gitconfig", "http_ua_hash": "98ad220b5d6ad3d84a4829d0ef5324e6b1b345aa", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "4552edeb48a162af2c0944497328c6fed5ef02ec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.4148935110490175, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7d386f2337a06f3d613c0684802ec11a38166c57", "event_fingerprint": "526f36290b870cc0d1b701f51cb2a92202ce5655", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "32ff1b0517d15cc0a9acff180370e6ec", "payload_hash": "f2f48d6b67a001e276e4c0d91e8ba44e", "path_pattern_hash": "15182e65e3e4c28fd6667d0a76628de0" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/73.0.3683.86 Chrome\/73.0.3683.86 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/73.0.3683.86 Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/73.0.3683.86 Chrome\/73.0.3683.86 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/73.0.3683.86 Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c7650109d1f88d5bd84562d597bcfd3379c5835", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/73.0.3683.86 Chrome\/73.0.3683.86\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/73.0.3683.86 Chrome\/73.0.3683.86\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /backend/settings.py	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/settings.py UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/settings.py TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /backend/settings.py Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Django settings Ligne de requête `GET /backend/settings.py HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/71.0.3578.98 Chrome/71.0.3578.98 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/settings.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /backend/settings.py HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/71.0.3578.98 Chrome/71.0.3578.98 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Conne Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "py", "http_ua_hash": "d362c219ceda8e4202c2ddf7f91be31b757c6d7b", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "e3978a68997e27e7c0be3cc288a529b4c552616f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 272, "payload_entropy": 5.466327983119097, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "3fa1c2fa7eec23a2e20debaab745ff0cd742b632", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0112" ], "matched_pattern_names": [ "LFI Django settings" ], "pattern_ids": [ "pat-0112" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9d2ef4da67532251616f8edab66509af", "payload_hash": "89cd43331d65c125d5d4274cebcdbc71", "path_pattern_hash": "3d2d12cf8593ec32b773f024d351f3c1" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/backend\/settings.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/71.0.3578.98 Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/settings.py HTTP\/1.1", "request_sample": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/71.0.3578.98 Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/backend\/settings.py", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/71.0.3578.98 Chrome\/71.0.3578.98 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/settings.py HTTP\/1.1", "request_sample": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/71.0.3578.98 Chrome\/71.0.3578.98 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConne", "payload_snippet": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "050f62a5dd2f4d25b08c9d4a0ead9c326915e17f", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/settings.py", "request_line": "GET \/backend\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/71.0.3578.98 Chrome\/71.0.3578.98\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/settings.py", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/settings.py", "request_line": "GET \/backend\/settings.py HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/71.0.3578.98 Chrome\/71.0.3578.98\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/settings.py", "evidence_snippet": "GET \/backend\/settings.py HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:9900 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9900 Chemin / cible — Service TLS Payload ��ӊ��@X��4v�`�Pȿ�]�� .�tAc� ��(1��O<��K� �@&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ӊ��@X��4v�`�Pȿ�]�� .�tAc� ��(1��O<��K� �@&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ӊ��@X��4v�`�Pȿ�]�� .�tAc� ��(1��O<��K� �@&�+�/�,�0̨̩� �� /5� w �+3&$ �A��ԍ�Q�11}n��_�O3��* Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.819310536747896, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9bc6e9422076201846bf3268f1c965cbd91f8034", "event_fingerprint": "494c9f1d51d87e4e628444cc1ac6318d28c9083c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e0543514794534a395ee7cba9434c32c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9900, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd\u001d@X\ufffd\ufffd4v\ufffd\u0017`\ufffdP\u023f\ufffd\u0014]\u001b\ufffd\ufffd\ufffd\ufffd \ufffd\u0007\ufffd.\ufffdt\u0017Ac\ufffd\n\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd\u001d@X\ufffd\ufffd4v\ufffd\u0017`\ufffdP\u023f\ufffd\u0014]\u001b\ufffd\ufffd\ufffd\ufffd \ufffd\u0007\ufffd.\ufffdt\u0017Ac\ufffd\n\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdA\ufffd\ufffd\u0012\ufffd\u0019\u050d\ufffdQ\ufffd11}n\ufffd\u001c\ufffd\ufffd\u001a_\ufffd\u001aO3\ufffd\ufffd\ufffd\ufffd\u0018*", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd\u001d@X\ufffd\ufffd4v\ufffd\u0017`\ufffdP\u023f\ufffd\u0014]\u001b\ufffd\ufffd\ufffd\ufffd \ufffd\u0007\ufffd.\ufffdt\u0017Ac\ufffd\n\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e9de70aa186d65aaac08b2ac125d9bf07152e59a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd\u001d@X\ufffd\ufffd4v\ufffd\u0017`\ufffdP\u023f\ufffd\u0014]\u001b\ufffd\ufffd\ufffd\ufffd \ufffd\u0007\ufffd.\ufffdt\u0017Ac\ufffd\n\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd@X\ufffd\ufffd4v\ufffd`\ufffdP\u023f\ufffd]\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd.\ufffdtAc\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd\u001d@X\ufffd\ufffd4v\ufffd\u0017`\ufffdP\u023f\ufffd\u0014]\u001b\ufffd\ufffd\ufffd\ufffd \ufffd\u0007\ufffd.\ufffdt\u0017Ac\ufffd\n\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u04ca\ufffd\ufffd\ufffd\ufffd@X\ufffd\ufffd4v\ufffd`\ufffdP\u023f\ufffd]\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd.\ufffdtAc\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(1\ufffd\ufffdO<\ufffd\ufffdK\ufffd \ufffd@&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:9900 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9900 Chemin / cible — Service TLS Payload ��p^�U&�տt��_:j1:��mQ)��R ފ1��7�,�Y�׺V�Z�֭\�Ս�/\|�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��p^�U&�տt��_:j1:��mQ)��R ފ1��7�,�Y�׺V�Z�֭\�Ս�/\|�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��p^�U&�տt��_:j1:��mQ)��R ފ1��7�,�Y�׺V�Z�֭\�Ս�/\|�&�+�/�,�0̨̩� �� /5� w �+3&$ ��z�8�_��Z�@:��gsyv?�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8223552702621255, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9bc6e9422076201846bf3268f1c965cbd91f8034", "event_fingerprint": "494c9f1d51d87e4e628444cc1ac6318d28c9083c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "efc08402e739c5edeff5218a015ced06", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9900, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\u001c\u0012\ufffd\ufffd\b_:j1:\ufffd\ufffdmQ)\ufffd\ufffd\u0007R \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\u0004\u0015\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\u001c\u0012\ufffd\ufffd\b_:j1:\ufffd\ufffdmQ)\ufffd\ufffd\u0007R \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\u0004\u0015\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \f\ufffd\ufffdz\ufffd\u00028\ufffd\u0004\u000e_\ufffd\ufffd\ufffd\u0013Z\u0006\ufffd@:\ufffd\ufffd\ufffdgsyv?\ufffd\ufffd\u001e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\u001c\u0012\ufffd\ufffd\b_:j1:\ufffd\ufffdmQ)\ufffd\ufffd\u0007R \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\u0004\u0015\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "acf385b45ce142a29d8c35911e9cc685dfa77f30", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\u001c\u0012\ufffd\ufffd\b_:j1:\ufffd\ufffdmQ)\ufffd\ufffd\u0007R \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\u0004\u0015\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\ufffd\ufffd_:j1:\ufffd\ufffdmQ)\ufffd\ufffdR \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\|\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\u001c\u0012\ufffd\ufffd\b_:j1:\ufffd\ufffdmQ)\ufffd\ufffd\u0007R \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\u0004\u0015\|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdp^\ufffdU&\ufffd\u057ft\ufffd\ufffd\ufffd*_:j1:\ufffd\ufffdmQ)\ufffd\ufffdR \u078a1\ufffd\ufffd\ufffd7\ufffd,\ufffdY\ufffd\u05faV\ufffdZ\ufffd\u05ad\\\ufffd\u054d\ufffd\/\|\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /nginx.config	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /nginx.config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /nginx.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /nginx.config Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.config HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /nginx.config HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "d57e0fd1435e96463eb497d2a56d284ee50a4b0c", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "e275586080f0f32618bdbe0c80334164416e3043", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.405932052868439, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "46b38a66c1d5f50cf15dd70a9739194f116117c8", "event_fingerprint": "28bd3b4f734dedbb0959a3980e1433228f688ce3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "914e46305c5a0f973127b22e4ba1e223", "payload_hash": "a20cfdb74681607baeab387f1e8cf322", "path_pattern_hash": "80871f7e109ea9867fd6173c2b32059b" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/nginx.config", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.config HTTP\/1.1", "request_sample": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2a61f373f2973727585febb9c45da94d04a7359", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.config", "request_line": "GET \/nginx.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.config", "evidence_snippet": "GET \/nginx.config HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Flood / DDoS http flood · via HTTP:9900 · (tentative d'exploit) · → /backend/database.php	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/database.php UA Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, like Ge… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /backend/database.php Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/database.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.6 Safari/538.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/database.php HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, l Requête brute (extrait) GET /backend/database.php HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.6 Safari/538.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "d6f69fd406a5d0bdbe64ccba00132a98e152dbc6", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "b8d945b65dbbe419d52ebdd552c143c70925f067", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 235, "payload_entropy": 5.384329419153405, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4e9ee6c02a5943d02ed1fdefbaf390ad3389e177", "event_fingerprint": "d11d1f54f6a4136907ed36e3701a7b092caa1a54", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "597afb0824458dec40799dc9e1eb0c75", "payload_hash": "d40bdcab0bafd8373eca2eb33b5c9f79", "path_pattern_hash": "0b2570d8cc30161bb9d1f6c9f069b923" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, l", "method": "GET", "path": "\/backend\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/database.php HTTP\/1.1", "request_sample": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, l", "evidence": { "method": "GET", "path": "\/backend\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/database.php HTTP\/1.1", "request_sample": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, l", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea0f2a25d88fddebbce898579153f63d1b89cc44", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/database.php", "request_line": "GET \/backend\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, l", "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/database.php", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/database.php", "request_line": "GET \/backend\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/database.php", "evidence_snippet": "GET \/backend\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, l", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:9900 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_flood tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9900 Chemin / cible — Service TLS Payload ��-"�Ms�蜘��۞M�DW��^]૛k�� y�-�iߋ#��H�nw�t�!�Ƹ��zy�q�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��-"�Ms�蜘��۞M�DW��^]૛k�� y�-�iߋ#��H�nw�t�!�Ƹ��zy�q�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��-"�Ms�蜘��۞M�DW��^]૛k�� y�-�iߋ#��H�nw�t�!�Ƹ��zy�q�&�+�/�,�0̨̩� �� /5� w �+3&$ 1��έ&�$��^��G��o�ϩo Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.825320834433933, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9bc6e9422076201846bf3268f1c965cbd91f8034", "event_fingerprint": "494c9f1d51d87e4e628444cc1ac6318d28c9083c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "66aa10e608bab819713b051f1a11b1ee", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9900, "service": "tls", "service_name": "tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\"\u0013\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\u0018\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\u0005\ufffdi\u07cb\u001b#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\u0017\ufffdzy\ufffd\u0019q\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\"\u0013\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\u0018\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\u0005\ufffdi\u07cb\u001b#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\u0017\ufffdzy\ufffd\u0019q\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \r1\ufffd\ufffd\ufffd\u03ad&\ufffd$\ufffd\u0012\ufffd^\ufffd\ufffdG\u0003\ufffd\ufffd\ufffd\u0017\ufffd\u001fo\ufffd\u03e9\u0011\u001eo", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\"\u0013\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\u0018\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\u0005\ufffdi\u07cb\u001b#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\u0017\ufffdzy\ufffd\u0019q\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ffcb30786dec46f9a3782fff8a5bdea767863a34", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\"\u0013\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\u0018\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\u0005\ufffdi\u07cb\u001b#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\u0017\ufffdzy\ufffd\u0019q\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd-\"\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\ufffdi\u07cb#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\ufffdzy\ufffdq\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\"\u0013\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\u0018\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\u0005\ufffdi\u07cb\u001b#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\u0017\ufffdzy\ufffd\u0019q\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9900, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:9900 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd-\"\ufffdMs\ufffd\u8718\ufffd\ufffd\ufffd\ufffd\u06deM\ufffdDW\ufffd\ufffd\ufffd^]\u0adbk\ufffd\ufffd y\ufffd-\ufffdi\u07cb#\ufffd\ufffdH\ufffdnw\ufffdt\ufffd!\ufffd\u01b8\ufffd\ufffdzy\ufffdq\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
15/06/2026 12:49:57 UTC	TCP	9900 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:9900 · (tentative d'exploit) · → /nginx.conf	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /nginx.conf UA Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /nginx.conf TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible /nginx.conf Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.conf HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 Requête brute (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "conf", "http_ua_hash": "042aea374dea8d91a602a0e615549b479ed19ff2", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "845c3b2b5656c277525928bf4edf7c41919ad7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.375114850462957, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 9900, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7d386f2337a06f3d613c0684802ec11a38166c57", "event_fingerprint": "5f753b9559aaff5a3a3043ac3385541ae3efafbc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "00d61033796631745a230211c2789e70", "payload_hash": "6e5f675850519c2bf3979d2e8e267f0e", "path_pattern_hash": "80f5fa98cca489e2cf5aa551565e088f" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac32305995564c5083044fb45f813012b48f3955", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:9900 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

34.50.60.131

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence