Renseignement sur les menaces

Corée du Sud

34.64.117.206

FAI Google LLC Première vue 15/06/2026 15:07 UTC Dernière vue 15/06/2026 15:07 UTC Risque Élevé

Période analysée : 2026-06-13 → 2026-06-20

Activité suspecte — risque 63/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 71/100 Élevé

Première observation 15/06/2026 15:07 UTC

Dernière observation 15/06/2026 15:07 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 428 occurrences

Activité suspecte — risque 63/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.64.112.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

35.203.211.53 Scanner web 20/06/2026 09:30 UTC
198.235.24.125 epmd 20/06/2026 09:29 UTC
162.216.150.160 Sonde PostgreSQL 20/06/2026 09:26 UTC
35.187.13.22 Sonde port 3155/TCP 20/06/2026 09:25 UTC
34.77.191.38 Sonde port 12166/TCP 20/06/2026 09:25 UTC
34.14.21.193 Sonde port 9156/TCP 20/06/2026 09:24 UTC
34.78.120.132 Sonde port 9550/TCP 20/06/2026 09:24 UTC
147.185.133.62 Sonde PostgreSQL 20/06/2026 09:24 UTC

Événements (filtres)

854

Première observation

15/06/2026 15:07 UTC

Dernière observation

15/06/2026 15:07 UTC

Dernière activité (filtres)

15/06/2026 15:07 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 427 HTTP ALT 81 TCP 427

HTTP

427

HTTP ALT 81

427

Géolocalisation

Origine réseau déclarée

Corée du Sud unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 81 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:81 · (tentative d'exploit) · → /.vscode/launch.json

Détails protocole

Méthode: GET
Chemin: /.vscode/launch.json
User-Agent: Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1

Aperçu payload

GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; U; Linux armv61; en-US; rv:1.9.1b2pre) Gec

Port / service

81 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 5/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /jenkins/Jenkinsfile	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /jenkins/Jenkinsfile UA Mozilla/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_jenkins Cible HTTP GET /jenkins/Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /jenkins/Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /jenkins/Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit/537.36 Requête brute (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "670664974c08693406967c30ae1938531c910fc4", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "171840fe47dfd6f2d76e0b80f11136ea038cbc5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.41182491276115, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "ca3bdf7152261d9a6f202d1c0f605cacad5b3069", "event_fingerprint": "a3d85724d54b2bb9a81331464e2a01ab924a3e26", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5b7406d8a3823a7612d787730f1bdbaa", "payload_hash": "c7694bda5f081811c83e5fe54be02470", "path_pattern_hash": "40125f4f361452a7111c9b4a9dc1dfb2" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36", "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9278adf48920c9848069f808802cc4b20beb7a8b", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Mobile Safari\/537\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.2; OC105) AppleWebKit\/537.36", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_jenkins", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /.drone.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.drone.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.drone.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /.drone.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.drone.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Requête brute (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.20 Safari/535.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "1fcd6baa23e861376ea34cec32d174d3f7177277", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "1954ac9283af903ae4a6de319bd93df245fb035e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.4221725490244514, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "712c4a3a7eb2a3f785d25a316829a0828959f389", "event_fingerprint": "3ab3e163b31f1d4e87112be7eb4a7c79f939fd4b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3ebd074a0ba7a537ca17a6f6796f9e3", "payload_hash": "3df15b2e9321ac30ef1c979f7bb6dfce", "path_pattern_hash": "f74d63edd884e7a9299ad52f54b46b61" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko)", "method": "GET", "path": "\/.drone.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.20 Safari\/535.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yml HTTP\/1.1", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.20 Safari\/535.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko)", "evidence": { "method": "GET", "path": "\/.drone.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.20 Safari\/535.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yml HTTP\/1.1", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.20 Safari\/535.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko)", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d819abd5c3389ab21967be47746b8eb85b625ced", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yml", "request_line": "GET \/.drone.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.20 Safari\/535.1", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko)", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yml", "request_line": "GET \/.drone.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko) Chrome\/13.0.782.20 Safari\/535.1", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yml", "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/535.1 (KHTML, like Gecko)", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /META-INF/context.xml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /META-INF/context.xml UA Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) Apple… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /META-INF/context.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /META-INF/context.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /META-INF/context.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) A Requête brute (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Co Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "2757074521bfa128d92b302ba501e17f4d5210e0", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "3986bf7cda9cc4c51e53512817fc8584b30172b0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.489474964182855, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a87cb7c3d59d0aa31645fba6f514b2eb0a28ed05", "event_fingerprint": "f6191376ca0911864a0805f1cb8aad9761ce4ef8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8c2b26f1d3eeae7269314dbfc381422d", "payload_hash": "fc35134c9f4b22887c5e842724f69b28", "path_pattern_hash": "30f764f600e5073ae934f34b2b98acc2" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) A", "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.98 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.98 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) A", "evidence": { "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.98 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.98 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) A", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cf5921c096dc4949436e9abfd42cfa8aaf24dc60", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.98 Mo\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) A", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/52.0.2743.98 Mo\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; HTC One M9 Build\/MRA58K) A", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /.buildkite/pipeline.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.buildkite/pipeline.yml UA SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP-2.0 Co… Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.buildkite/pipeline.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /.buildkite/pipeline.yml Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.buildkite/pipeline.yml HTTP/1.1` User-Agent SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP Requête brute (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: SonyEricssonW660i/R6AD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "9781410f7361383084aafa131a314a6e2c9192a7", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "4bafbac6a6a3a3e498ce6febcc708140823e7542", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 224, "payload_entropy": 5.279349839968974, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2aa945c3cb3b6b4fdd410b154f9f723e804613dd", "event_fingerprint": "e5af46b0023a7c30bed1b7ec6f90d9008db47dbf", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e593b348fc4f04da74d0e8a31a0a71c5", "payload_hash": "84ac4fcece281dc23f1e3bade9942537", "path_pattern_hash": "483e00e02486581ed9691d00f40bae15" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP", "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP", "evidence": { "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94cf9a46abfe7783c637340bb4f4d6d0ccc5f65f", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: SonyEricssonW660i\/R6AD Browser\/NetFront\/3.3 Profile\/MIDP", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /.drone.yaml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.drone.yaml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.drone.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /.drone.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.drone.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 ( Requête brute (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "60fbbf4818ce0470866b4c62ed364c72741a2544", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "2dde7c7ac3e6a210a636b7b4438f90ddd70a6f86", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.396811709412667, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "712c4a3a7eb2a3f785d25a316829a0828959f389", "event_fingerprint": "96d726729c84e8556b22f0feef5b1d6c1c67dee6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "51cdbfb09c928a54e9428912a2a961c6", "payload_hash": "87375cf8cdb59dac117de1de32de93dc", "path_pattern_hash": "375bdd2accbc560de2cef140cdb7ad08" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.drone.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yaml HTTP\/1.1", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.drone.yaml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yaml HTTP\/1.1", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "80bebace2663db7802d8d98d18934103cbde3276", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yaml", "request_line": "GET \/.drone.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yaml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yaml", "request_line": "GET \/.drone.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yaml", "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit\/537.36 (", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /debug.log	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /debug.log UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /debug.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KH Requête brute (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "314574ceea90840d3e7fd5894d8612b1eb25ed9c", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "77d9f648329aebdef206c4b1d63546db6147ce3b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.435884312082904, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7ed4320a772c6d627c150a30de198bf9e46f78ff", "event_fingerprint": "1c92bb9e3b193b95e37cd2e99e8d6457d4a55c07", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d470b844033a1b1a9cb7ab3c864b89d4", "payload_hash": "8f80464028d9c725ba64ecd9fa985c62", "path_pattern_hash": "55839acef8bcadd99e7e1a1cdf75a15f" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/debug.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/debug.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "584af05c098e862d854976087dd103886651d7e1", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KH", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /app/application.properties	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/application.properties UA Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /app/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/application.properties HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/application.properties HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Geck Requête brute (extrait) GET /app/application.properties HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "properties", "http_ua_hash": "93c0a2ef61ad2851b9e4d723f606465e2b5838c6", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "2f953c642188869b1a561e9c4740c219cba11ed1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.193205869032203, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a87cb7c3d59d0aa31645fba6f514b2eb0a28ed05", "event_fingerprint": "58ca9eb61633bea976d8dacaa060ca2f1bc13246", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e491e27ce92b78290bdfc6a244626440", "payload_hash": "a31924f9f97a9bffc14a95e218694179", "path_pattern_hash": "286c03092fb4d6bd8948d162eabf9d1a" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Geck", "method": "GET", "path": "\/app\/application.properties", "user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/application.properties HTTP\/1.1", "request_sample": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Geck", "evidence": { "method": "GET", "path": "\/app\/application.properties", "user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/application.properties HTTP\/1.1", "request_sample": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Geck", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "581399f346cab8a3ab18c0a9ddededb716c12e56", "protocol_details": { "http_method": "GET", "http_path": "\/app\/application.properties", "request_line": "GET \/app\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Geck", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/application.properties", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/application.properties", "request_line": "GET \/app\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/application.properties", "evidence_snippet": "GET \/app\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Geck", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��g�x�I+��q�%i�`��ST�K�Eq x�&�� V%�Uè��p��q� z�f[&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��g�x�I+��q�%i�`��ST�K�Eq x�&��V%�Uè��p��q� z�f[&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��g�x�I+��q�%i�`��ST�K�Eq x�&�� V%�Uè��p��q� z�f[&�+�/�,�0̨̩� �� /5� w �+3&$ Y:Xլ>��^P^��o�[�A58qP� ��0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.783998710027312, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "087c8a7eb17039deb2750d4ccfcc6bae", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdg\ufffdx\u001e\ufffdI+\u0003\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\u000b\ufffdV\u0006%\ufffdU\u00e8\u0005\ufffd\ufffd\ufffdp\ufffd\ufffd\u0013q\ufffd\nz\ufffdf[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdg\ufffdx\u001e\ufffdI+\u0003\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\u000b\ufffdV\u0006%\ufffdU\u00e8\u0005\ufffd\ufffd\ufffdp\ufffd\ufffd\u0013q\ufffd\nz\ufffdf[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Y:X\u0016\u056c>\ufffd\ufffd^P^\ufffd\ufffd\ufffdo\ufffd[\ufffdA58qP\u0001\ufffd\r\ufffd\ufffd\ufffd\ufffd0", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdg\ufffdx\u001e\ufffdI+\u0003\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\u000b\ufffdV\u0006%\ufffdU\u00e8\u0005\ufffd\ufffd\ufffdp\ufffd\ufffd\u0013q\ufffd\nz\ufffdf[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c020c1f24f4f699a249b80d3b99eb651fe209047", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdg\ufffdx\u001e\ufffdI+\u0003\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\u000b\ufffdV\u0006%\ufffdU\u00e8\u0005\ufffd\ufffd\ufffdp\ufffd\ufffd\u0013q\ufffd\nz\ufffdf[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdg\ufffdx\ufffdI+\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\ufffdV%\ufffdU\u00e8\ufffd\ufffd\ufffdp\ufffd\ufffdq\ufffd\nz\ufffdf[&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdg\ufffdx\u001e\ufffdI+\u0003\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\u000b\ufffdV\u0006%\ufffdU\u00e8\u0005\ufffd\ufffd\ufffdp\ufffd\ufffd\u0013q\ufffd\nz\ufffdf[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdg\ufffdx\ufffdI+*\ufffd\ufffdq\ufffd%i\ufffd`\ufffd\ufffd\ufffd\ufffdST\ufffdK\ufffdEq x\ufffd&\ufffd\ufffd\ufffdV%\ufffdU\u00e8\ufffd\ufffd\ufffdp\ufffd\ufffdq\ufffd\nz\ufffdf[&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:81 · (tentative d'exploit) · → /app/config.json	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/config.json UA Mozilla/5.0 (Linux; Android 6.0; Nexus 5X Build/MDB08L) AppleWe… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /app/config.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /app/config.json Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0; Nexus 5X Build/MDB08L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config.json HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5X Build/MDB08L) AppleWeb Requête brute (extrait) GET /app/config.json HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5X Build/MDB08L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "30d8bab965e2ae46e6d5e5c397287f4a1f605ccb", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "04a99df4e7f26fbef3b59fc449247949b0b5c67b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.458846578222912, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "10e957acd308b1c4205a7b58988c40488a027ae2", "event_fingerprint": "d160b20b2a44c1a48b892031ea0b09fea6d67fc8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "18bd3a7e3b302e61dbfd9090dd2b53dd", "payload_hash": "d888b63c087c2cb342c9eb486aeb2427", "path_pattern_hash": "4ea6034329b7a9b73f791b1e3c4a9abe" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWeb", "method": "GET", "path": "\/app\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.124 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config.json HTTP\/1.1", "request_sample": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.124 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWeb", "evidence": { "method": "GET", "path": "\/app\/config.json", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.124 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config.json HTTP\/1.1", "request_sample": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.124 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5fe0dd2e77182a2003f5fedc724665f0ea9b1e3a", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config.json", "request_line": "GET \/app\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.124 Mob\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWeb", "attack_vector": "config file probe \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config.json", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config.json", "request_line": "GET \/app\/config.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/53.0.2785.124 Mob\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config.json", "evidence_snippet": "GET \/app\/config.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; Nexus 5X Build\/MDB08L) AppleWeb", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��+��<>v��o�' ��WB��u/� ��k��ǵ��.��G��jKw�rl�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��+��<>v��o�' ��WB��u/� ��k��ǵ��.��G��jKw�rl�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��+��<>v��o�' ��WB��u/� ��k��ǵ��.��G��jKw�rl�&�+�/�,�0̨̩� �� /5� w �+3&$ l1��j(�0��1 �.��?�xa�jIB��WL\ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.847798550585445, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f4569a708ffa2668f32279cf096a27b4", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\u001c\ufffd\ufffd\bWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjK\u001cw\ufffdrl\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\u001c\ufffd\ufffd\bWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjK\u001cw\ufffdrl\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 l1\ufffd\ufffd\ufffdj(\ufffd0\ufffd\ufffd1\u000f\f\ufffd.\ufffd\ufffd?\ufffdxa\ufffdjIB\ufffd\ufffdWL\u001a\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\u001c\ufffd\ufffd\bWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjK\u001cw\ufffdrl\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4d3c6071c02653d478a8a78f56f33f363933a11", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\u001c\ufffd\ufffd\bWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjK\u001cw\ufffdrl\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\ufffd\ufffdWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjKw\ufffdrl\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\u000e\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\u001c\ufffd\ufffd\bWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjK\u001cw\ufffdrl\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd+\ufffd\ufffd<>v\ufffd\ufffd\ufffd\ufffd\ufffdo\ufffd'\r\ufffd\ufffd\ufffd\ufffdWB\ufffd\ufffdu\/\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffd\u01f5\ufffd\ufffd\ufffd.\ufffd\ufffdG\ufffd\ufffd\ufffdjKw\ufffdrl\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:81 · (tentative d'exploit) · → /backend/config.php	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/config.php UA Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /backend/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /backend/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /backend/config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML, like Gecko) Ubuntu/10.10 Chrome/9.1.0.0 Safari/540.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/config.php HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 ( Requête brute (extrait) GET /backend/config.php HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML, like Gecko) Ubuntu/10.10 Chrome/9.1.0.0 Safari/540.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "291ac3f979f5066206f30bc7e01c8a64a5801463", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "0f76041769be813ece64207c970ee1807850a543", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.411287739338932, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "10e957acd308b1c4205a7b58988c40488a027ae2", "event_fingerprint": "ba1e5cdf7ad60affaf1fa3971755e6445fda4010", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a5652962f7752608f6b51b0bf6e29faa", "payload_hash": "bb716b8961718e12be290c93857de9ae", "path_pattern_hash": "5736f534a7045a63aa72293badb5c26d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (", "method": "GET", "path": "\/backend\/config.php", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (KHTML, like Gecko) Ubuntu\/10.10 Chrome\/9.1.0.0 Safari\/540.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/config.php HTTP\/1.1", "request_sample": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (KHTML, like Gecko) Ubuntu\/10.10 Chrome\/9.1.0.0 Safari\/540.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (", "evidence": { "method": "GET", "path": "\/backend\/config.php", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (KHTML, like Gecko) Ubuntu\/10.10 Chrome\/9.1.0.0 Safari\/540.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/config.php HTTP\/1.1", "request_sample": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (KHTML, like Gecko) Ubuntu\/10.10 Chrome\/9.1.0.0 Safari\/540.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c32364833c5ecee5f505689a1859ec0d5a593c6c", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/config.php", "request_line": "GET \/backend\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (KHTML, like Gecko) Ubuntu\/10.10 Chrome\/9.1.0.0 Safari\/540.0", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (", "attack_vector": "config file probe \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/config.php", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/config.php", "request_line": "GET \/backend\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (KHTML, like Gecko) Ubuntu\/10.10 Chrome\/9.1.0.0 Safari\/540.0", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/config.php", "evidence_snippet": "GET \/backend\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/540.0 (", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload �� $�?�XQ!�Vm_��؅R�F��䙈. �d�ѝ={�9]�w{h)Z�;�w�Xt�aQ~4�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� $�?�XQ!�Vm_��؅R�F��䙈. �d�ѝ={�9]�w{h)Z�;�w�Xt�aQ~4�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� $�?�XQ!�Vm_��؅R�F��䙈. �d�ѝ={�9]�w{h)Z�;�w�Xt�aQ~4�&�+�/�,�0̨̩� �� /5� w �+3&$ ��t<zp�4�-11� a �uD�UZ�-=v Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.866411023454507, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89186388f294feb3ccab4b9a1c658b19", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\n\ufffd$\ufffd?\ufffdXQ\u0017!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648\u0004\u0005. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffd\u0017Xt\ufffdaQ\u0016~4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\n\ufffd$\ufffd?\ufffdXQ\u0017!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648\u0004\u0005. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffd\u0017Xt\ufffdaQ\u0016~4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001e\ufffd\ufffdt<\u001dzp\u001c\ufffd4\ufffd-11\ufffd\ra \u0010\ufffduD\ufffdUZ\ufffd-=v", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\n\ufffd$\ufffd?\ufffdXQ\u0017!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648\u0004\u0005. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffd\u0017Xt\ufffdaQ\u0016~4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ceb6c42e4d2788d05fc5a853274100b4ce63438", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\n\ufffd$\ufffd?\ufffdXQ\u0017!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648\u0004\u0005. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffd\u0017Xt\ufffdaQ\u0016~4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\n\ufffd$\ufffd?\ufffdXQ!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffdXt\ufffdaQ~4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\n\ufffd$\ufffd?\ufffdXQ\u0017!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648\u0004\u0005. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffd\u0017Xt\ufffdaQ\u0016~4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\n\ufffd$\ufffd?\ufffdXQ!\ufffdVm_\ufffd\ufffd\ufffd\u0605R\ufffdF\ufffd\ufffd\ufffd\u4648. \ufffdd\ufffd\u045d={\ufffd9]\ufffdw{h)Z\ufffd;\ufffdw\ufffdXt\ufffdaQ~4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��-�!��9XN)��l&6 ��«�3:+� �r �»8M�D!y�X��ɺn�.X̡kɲ�(&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��-�!��9XN)��l&6 ��«�3:+� �r�»8M�D!y�X��ɺn�.X̡kɲ�(&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��-�!��9XN)��l&6 ��«�3:+� �r �»8M�D!y�X��ɺn�.X̡kɲ�(&�+�/�,�0̨̩� �� /5� w �+3&$ ��R��M 1�գ�P��L�bk Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.825650789623014, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c12b03eddc951df3f9a2ac9c1ca499a4", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\ufffd\u001b!\ufffd\u0010\ufffd9XN\u0014)\ufffd\ufffdl\u001e&\u00156\t\ufffd\u0001\ufffd\u00ab\ufffd3:\u0011+\ufffd \ufffdr\u000f\u000b\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0007\u0321k\u0272\ufffd(\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\ufffd\u001b!\ufffd\u0010\ufffd9XN\u0014)\ufffd\ufffdl\u001e&\u00156\t\ufffd\u0001\ufffd\u00ab\ufffd3:\u0011+\ufffd \ufffdr\u000f\u000b\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0007\u0321k\u0272\ufffd(\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdM\u000f\n\u00011\u0012\ufffd\u0007\u0563\ufffd\u0017P\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\ufffdL\ufffdbk", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\ufffd\u001b!\ufffd\u0010\ufffd9XN\u0014)\ufffd\ufffdl\u001e&\u00156\t\ufffd\u0001\ufffd\u00ab\ufffd3:\u0011+\ufffd \ufffdr\u000f\u000b\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0007\u0321k\u0272\ufffd(\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f7be12fc718707fc12dd4da641759df764c9e582", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\ufffd\u001b!\ufffd\u0010\ufffd9XN\u0014)\ufffd\ufffdl\u001e&\u00156\t\ufffd\u0001\ufffd\u00ab\ufffd3:\u0011+\ufffd \ufffdr\u000f\u000b\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0007\u0321k\u0272\ufffd(\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd-\ufffd!\ufffd\ufffd9XN)\ufffd\ufffdl&6\t\ufffd\ufffd\u00ab\ufffd3:+\ufffd \ufffdr\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0321k\u0272\ufffd(&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\ufffd\u001b!\ufffd\u0010\ufffd9XN\u0014)\ufffd\ufffdl\u001e&\u00156\t\ufffd\u0001\ufffd\u00ab\ufffd3:\u0011+\ufffd \ufffdr\u000f\u000b\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0007\u0321k\u0272\ufffd(\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd-\ufffd!\ufffd\ufffd9XN)\ufffd\ufffdl&6\t\ufffd\ufffd\u00ab\ufffd3:+\ufffd \ufffd*r\ufffd\u00bb8M\ufffdD!y\ufffdX\ufffd\ufffd\u027an\ufffd.X\u0321k\u0272\ufffd(&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /app/config.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app/config.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /app/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /app/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 OPR/64.0.3409.0 (Edition developer) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /app/config.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 OPR/64.0.3409.0 (Edition developer) Accept-Charset: utf-8 Accept-Encoding: g Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "c9d68c3716765910cf2e85a545e7b29ef2a35b61", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "26f7d724b3a468b82e3ba15c8d7bacb7b8061900", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 282, "payload_entropy": 5.458330091981767, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a455302d0881bfadd7a4b5b918231625b5519366", "event_fingerprint": "bc3f1dea85328b57d0c2ced37fa507109091f21a", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c79c3932da7e0eb7a4f9c80ffaecfb29", "payload_hash": "6e9a34c79b20e5b898b6e9d01a6cc7ad", "path_pattern_hash": "6fb8a0463da694df32694fe856dd98b0" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/app\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config.yml HTTP\/1.1", "request_sample": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/app\/config.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config.yml HTTP\/1.1", "request_sample": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/64.0.3409.0 (Edition developer)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g", "payload_snippet": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "78a481ff494e4bae40d77811c5af9e7bda73232f", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config.yml", "request_line": "GET \/app\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config.yml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config.yml", "request_line": "GET \/app\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36 OPR\/\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/config.yml", "evidence_snippet": "GET \/app\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHT", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /bitbucket-pipelines.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bitbucket-pipelines.yml UA Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like G… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 net_flood Cible HTTP GET /bitbucket-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /bitbucket-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bitbucket-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "c03cd37d2081e146d7646ffe1fd3b288c7377f5e", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "e18939aa25137b140957dface586fa6d87f55246", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.392716770297217, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1cb60cad8c808f39c3cab191c50d309c47ad07d5", "event_fingerprint": "41fe726f8ce0bd1dfa3d86d7f75ca51e212d9d65", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a84cf2cbdd36ed3842484f0a6bc7e340", "payload_hash": "3027db5a09028c3e8ffcf311334d4f89", "path_pattern_hash": "7196cda3d0ac0fc416539ef0a94d0999" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/bitbucket-pipelines.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/bitbucket-pipelines.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "512d22ba4180e103bc99a389eedd584acc5278b3", "protocol_details": { "http_method": "GET", "http_path": "\/bitbucket-pipelines.yml", "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML,", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bitbucket-pipelines.yml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bitbucket-pipelines.yml", "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bitbucket-pipelines.yml", "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML,", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /azure-pipelines.yml	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /azure-pipelines.yml UA Mozilla/5.0 (Linux; Android 9; MI 8 Build/PKQ1.180729.001; wv) … Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /azure-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /azure-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /azure-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; MI 8 Build/PKQ1.180729.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 XWEB/882 MMWEBSDK/190506 Mobile Safari/537.36 MMWEBID/409 MicroMe… Règles WAF sqli-21 rce-0 nosqli-3 Payload (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 8 Build/PKQ1.180729.001; w Requête brute (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 9; MI 8 Build/PKQ1.180729.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 XWEB/882 MMWEBSDK/190506 Mobile Safari/537.36 MMWEBID/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "1fbe9366a5a38472a0c0c1768b134b68b9518ff4", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "8bacf7ba189e1d49695131e01ec30c1752198ab0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 408, "payload_entropy": 5.592586834395905, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 88, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 65, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ec395cf451a6de0f0572e35392aab8cd234b9588", "event_fingerprint": "3c337cc1a2ab3497bc9cd75c63ada25488955ac1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d43374e89a8b9a46bf794d2bf44b0da", "payload_hash": "12e0f35c6d672d6a49e58aea5a53a5f5", "path_pattern_hash": "d76578f2ff8c409283f48927713c6e3e" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; w", "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190506 Mobile Safari\/537.36 MMWEBID\/409 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/WIF\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190506 Mobile Safari\/537.36 MMWEBID\/", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; w", "evidence": { "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190506 Mobile Safari\/537.36 MMWEBID\/409 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetType\/WIF\u2026", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/67.0.3396.87 XWEB\/882 MMWEBSDK\/190506 Mobile Safari\/537.36 MMWEBID\/", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; w", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2dbcc511882e470044aa022172ea0b6f1e788179", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrom\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; w", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrom\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; MI 8 Build\/PKQ1.180729.001; w", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /backend/config.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /backend/config.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /backend/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /backend/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/config.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backend/config.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/6 Requête brute (extrait) GET /backend/config.yml HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "09bd048331a09c16ae3c5ff4db5a55676836a128", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "a126963d241c6de5415e84028949599a8cc00b17", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.368476982416227, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 63, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a455302d0881bfadd7a4b5b918231625b5519366", "event_fingerprint": "b54b416ee74e7c4c57cf02d8f7ca89ad777e5c9b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d769889e8dd7c947a6c2345c24cc8d13", "payload_hash": "737e302ef7afd0bb7698295a06db9827", "path_pattern_hash": "db11239f2df73531510aaf9c947f6a5d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/6", "method": "GET", "path": "\/backend\/config.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/config.yml HTTP\/1.1", "request_sample": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/6", "evidence": { "method": "GET", "path": "\/backend\/config.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backend\/config.yml HTTP\/1.1", "request_sample": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eaf2a70f9f729ef4122a0252970a550009626175", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/config.yml", "request_line": "GET \/backend\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/6", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/config.yml", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/config.yml", "request_line": "GET \/backend\/config.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.2 Safari\/605.1.15", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/config.yml", "evidence_snippet": "GET \/backend\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/6", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:52 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /trace.log	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /trace.log UA Mozilla/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /trace.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /trace.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /trace.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "23a16c385992f56c2e015dfdea350e8d5a7fd397", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "0306f640cbfe7832e364cfa8aaa4495e8ef14f08", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.3898027186944955, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "dac0cbfcc1c48c8f193546cee0ad20cdf4774add", "event_fingerprint": "13bc982d3a7f1a614fdc5a996ddd4d2852859a37", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d2c19e6bb49ac753eeb3bb652c7f87db", "payload_hash": "90cc77acf38cbccca631b1ecfc571ad1", "path_pattern_hash": "f8d80e9ce78cc8d6e0404ba95f5bd5a6" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/trace.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/trace.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c44119ff06edacabcbd6129a374814bd9ee5f31c", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LLD-AL10) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��J�g�2c�W�[�ie&`��ܢ�ʭy�H7� 2)_� ��d��'��6ЏA�3 Ȇ<�E��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��J�g�2c�W�[�ie&`��ܢ�ʭy�H7� 2)_� ��d��'��6ЏA�3Ȇ<�E��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��J�g�2c�W�[�ie&`��ܢ�ʭy�H7� 2)_� ��d��'��6ЏA�3 Ȇ<�E��&�+�/�,�0̨̩� �� /5� w �+3&$ �#��W��wD��±�#�IZt<�l�z�- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.863524178534453, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "48982859903e584e4a4d82042dbb969b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003J\ufffdg\ufffd2c\ufffdW\ufffd\u000e[\b\ufffdie&`\ufffd\ufffd\u0014\u0722\ufffd\b\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\u0010\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040f\u001bA\ufffd3\f\u0206<\ufffdE\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003J\ufffdg\ufffd2c\ufffdW\ufffd\u000e[\b\ufffdie&`\ufffd\ufffd\u0014\u0722\ufffd\b\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\u0010\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040f\u001bA\ufffd3\f\u0206<\ufffdE\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0002#\ufffd\ufffd\ufffdW\u001b\ufffd\ufffdwD\ufffd\ufffd\ufffd\u00b1\ufffd#\ufffdIZt<\ufffdl\ufffdz\ufffd-", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003J\ufffdg\ufffd2c\ufffdW\ufffd\u000e[\b\ufffdie&`\ufffd\ufffd\u0014\u0722\ufffd\b\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\u0010\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040f\u001bA\ufffd3\f\u0206<\ufffdE\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3cc9a88db4e98c171437c9b76ba2fb3c774c964e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003J\ufffdg\ufffd2c\ufffdW\ufffd\u000e[\b\ufffdie&`\ufffd\ufffd\u0014\u0722\ufffd\b\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\u0010\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040f\u001bA\ufffd3\f\u0206<\ufffdE\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdJ\ufffdg\ufffd2c\ufffdW\ufffd[\ufffdie&`\ufffd\ufffd\u0722\ufffd\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040fA\ufffd3\u0206<\ufffdE\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003J\ufffdg\ufffd2c\ufffdW\ufffd\u000e[\b\ufffdie&`\ufffd\ufffd\u0014\u0722\ufffd\b\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\u0010\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040f\u001bA\ufffd3\f\u0206<\ufffdE\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdJ\ufffdg\ufffd2c\ufffdW\ufffd[\ufffdie&`\ufffd\ufffd\u0722\ufffd\u02ady\ufffdH7\ufffd 2)_\ufffd\r\ufffd\ufffd\ufffdd\ufffd\ufffd'\ufffd\ufffd6\u040fA\ufffd3\u0206<\ufffdE\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��7� ��&�f�\�[� �j�1��kģ5 z� #�0�I7�:��+��AW�0Jj�h�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��7� ��&�f�\�[� �j�1��kģ5 z� #�0�I7�:��+��AW�0Jj�h�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��7� ��&�f�\�[� �j�1��kģ5 z� #�0�I7�:��+��AW�0Jj�h�&�+�/�,�0̨̩� �� /5� w �+3&$ XƟ�?V�Q5�Zz62͆:ȶ�z�1��s Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.81644948389158, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c3aad24e3228a5d36b1c6a215101f253", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\u0016\ufffdk\u01235 z\ufffd\t#\u0003\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdA\u0000W\u001a\ufffd0Jj\ufffdh\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\u0016\ufffdk\u01235 z\ufffd\t#\u0003\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdA\u0000W\u001a\ufffd0Jj\ufffdh\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 X\u019f\ufffd?\u0017V\ufffdQ5\ufffd\u001fZz62\u0346\u000f:\u0236\ufffd\u0016z\ufffd1\u0017\ufffd\u001d\ufffds", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\u0016\ufffdk\u01235 z\ufffd\t#\u0003\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdA\u0000W\u001a\ufffd0Jj\ufffdh\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cc398d6520ddcb06897f49cbb94924e38f718aa3", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\u0016\ufffdk\u01235 z\ufffd\t#\u0003\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdA\u0000W\u001a\ufffd0Jj\ufffdh\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\ufffdk\u01235 z\ufffd\t#\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdAW\ufffd0Jj\ufffdh\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\u0016\ufffdk\u01235 z\ufffd\t#\u0003\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdA\u0000W\u001a\ufffd0Jj\ufffdh\u0007\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\r\ufffd\ufffd\ufffd\ufffd&\ufffdf\ufffd\\\ufffd[\ufffd\r\ufffdj\ufffd1\ufffd\ufffdk\u01235 z\ufffd\t#\ufffd0\ufffdI7\ufffd:\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffdAW\ufffd0Jj\ufffdh\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��_-��Nw��F&��f��#��HR�8%k �W�#� Нg��}��N2����!j ݀&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��_-��Nw��F&��f��#��HR�8%k �W�#� Нg��}��N2����!j݀&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��_-��Nw��F&��f��#��HR�8%k �W�#� Нg��}��N2����!j ݀&�+�/�,�0̨̩� �� /5� w �+3&$ �1�GqM��\|�T��='`���L�a Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8900106079446495, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fde43c07efab931f37f5b98874c47669", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd_-\u0007\u0004\ufffd\ufffd\u0003Nw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\u0016\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\u000e\ufffd\u0018N2\ufffd\ufffd\ufffd\ufffd!j\f\u0740\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd_-\u0007\u0004\ufffd\ufffd\u0003Nw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\u0016\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\u000e\ufffd\u0018N2\ufffd\ufffd\ufffd\ufffd!j\f\u0740\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd1\ufffdGqM\ufffd\ufffd\ufffd\ufffd\|\ufffd\u0010T\ufffd\ufffd=\b'`\ufffd\ufffd\ufffd\u000e\ufffd\ufffd\ufffd\ufffdL\ufffda", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd_-\u0007\u0004\ufffd\ufffd\u0003Nw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\u0016\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\u000e\ufffd\u0018N2\ufffd\ufffd\ufffd\ufffd!j\f\u0740\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc905c3e13eda6b895c25561c251c23f65e0559a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd_-\u0007\u0004\ufffd\ufffd\u0003Nw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\u0016\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\u000e\ufffd\u0018N2\ufffd\ufffd\ufffd\ufffd!j\f\u0740\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd_-\ufffd\ufffdNw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffdN2\ufffd\ufffd\ufffd\ufffd!j\u0740&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e\ufffd_-\u0007\u0004\ufffd\ufffd\u0003Nw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\u0016\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\u000e\ufffd\u0018N2\ufffd\ufffd\ufffd\ufffd!j\f\u0740\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd_-\ufffd\ufffdNw\ufffd\ufffdF&\ufffd\ufffdf\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdHR\ufffd8%k \ufffdW\ufffd#\ufffd \u041dg\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffdN2\ufffd\ufffd*\ufffd\ufffd!j\u0740&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��0�屾1��C�ז�y��Jà�� P��p�.�PL2:��!jc�\5�4�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��0�屾1��C�ז�y��Jà�� P��p�.�PL2:��!jc�\5�4�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��0�屾1��C�ז�y��Jà�� P��p�.�PL2:��!jc�\5�4�&�+�/�,�0̨̩� �� /5� w �+3&$ ݻ�Y�I�;��$�U�X�E˅h�L�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.886898876811161, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cdccccbbadb52060bdff61cec9c7e9e1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\u0014\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\u001c\ufffd\\5\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\u0014\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\u001c\ufffd\\5\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u077b\ufffdY\ufffdI\ufffd;\ufffd\u0018\ufffd$\ufffd\u0017U\ufffdX\ufffdE\u001d\u02c5h\ufffdL\ufffd\ufffd\ufffd\u0014\t\u0018\u001b", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\u0014\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\u001c\ufffd\\5\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4764b4436999cb32e876db48c75832b195276d8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\u0014\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\u001c\ufffd\\5\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\ufffd\\5\ufffd4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\u0014\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\u001c\ufffd\\5\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd\u5c7e1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u05d6\ufffdy\ufffd\ufffdJ\u00e0\ufffd\ufffd\ufffd \ufffd\r\ufffdP\ufffd\ufffdp\ufffd.\ufffdPL2:\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!jc\ufffd\\5\ufffd4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��D0Tڤ�K��\�/�=�n�B鍤��ᅏW`< PM��y�%��À-#/(l�\�5�s��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��D0Tڤ�K��\�/�=�n�B鍤��ᅏW`< PM��y�%��À-#/(l�\�5�s��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��D0Tڤ�K��\�/�=�n�B鍤��ᅏW`< PM��y�%��À-#/(l�\�5�s��&�+�/�,�0̨̩� �� /5� w �+3&$ ^t c�]�t�_�s �K��p��&Y: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.822230423939766, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4af92af4937f3d60d1b1806244bca097", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D0T\u06a4\ufffdK\ufffd\u0017\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`<\u0005 PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\u001e\ufffd\ufffd\u00c0-#\/\u0001(l\ufffd\\\ufffd5\ufffds\u0018\u0017\ufffd\ufffd\u001e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D0T\u06a4\ufffdK\ufffd\u0017\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`<\u0005 PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\u001e\ufffd\ufffd\u00c0-#\/\u0001(l\ufffd\\\ufffd5\ufffds\u0018\u0017\ufffd\ufffd\u001e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ^t\tc\ufffd]\ufffdt\ufffd_\ufffd\u0000s\r\ufffdK\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffd&Y:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D0T\u06a4\ufffdK\ufffd\u0017\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`<\u0005 PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\u001e\ufffd\ufffd\u00c0-#\/\u0001(l\ufffd\\\ufffd5\ufffds\u0018\u0017\ufffd\ufffd\u001e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b73c2af087bb9e17682265299423539c42a803d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D0T\u06a4\ufffdK\ufffd\u0017\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`<\u0005 PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\u001e\ufffd\ufffd\u00c0-#\/\u0001(l\ufffd\\\ufffd5\ufffds\u0018\u0017\ufffd\ufffd\u001e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdD0T\u06a4\ufffdK\ufffd\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`< PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\ufffd\ufffd\u00c0-#\/(l\ufffd\\\ufffd5\ufffds\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003D0T\u06a4\ufffdK\ufffd\u0017\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`<\u0005 PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\u001e\ufffd\ufffd\u00c0-#\/\u0001(l\ufffd\\\ufffd5\ufffds\u0018\u0017\ufffd\ufffd\u001e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdD0T\u06a4\ufffdK\ufffd\ufffd\\\ufffd\/\ufffd=\ufffdn\ufffdB\u9364\ufffd\ufffd\u114fW`< PM\ufffd\ufffd\ufffd\ufffdy\ufffd%\ufffd\ufffd\u00c0-#\/(l\ufffd\\\ufffd5\ufffds\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��a��$'� V��.�n!C��A"B��} �M��2tj^K[jy�f��ş{-�6��1 �]��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��a��$'� V��.�n!C��A"B��} �M��2tj^K[jy�f��ş{-�6��1�]��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��a��$'� V��.�n!C��A"B��} �M��2tj^K[jy�f��ş{-�6��1 �]��&�+�/�,�0̨̩� �� /5� w �+3&$ �� s��$`: $d;J�uAKFdcDHT{�ه{ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.918846458499026, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b1a7780e88b9dcd33312c70001e12adf", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\u0012\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\u000e\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2t\u0015j^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\u000b\ufffd]\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\u0012\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\u000e\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2t\u0015j^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\u000b\ufffd]\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u000bs\ufffd\ufffd$`: $d;J\u0013\ufffduAKFdcDHT{\ufffd\u0004\u0647{", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\u0012\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\u000e\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2t\u0015j^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\u000b\ufffd]\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14bcced9f3458bf1316a3d25fd37aa023d57c4da", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\u0012\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\u000e\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2t\u0015j^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\u000b\ufffd]\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2tj^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\ufffd]\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\u0012\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\u000e\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2t\u0015j^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\u000b\ufffd]\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffda\ufffd\ufffd$'\ufffd\nV\ufffd\ufffd\ufffd.\ufffdn!C\ufffd\ufffd\ufffd\ufffdA\"B\ufffd\ufffd} \ufffdM\ufffd\ufffd2tj^K[jy\ufffdf\ufffd\ufffd\u015f{-\ufffd6\ufffd\ufffd1\ufffd]\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��@��\��N��>�0ݙ��q�<��[ �T1��@a^!S(L��n;��ĩe~�w}ߥ��:&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��@��\��N��>�0ݙ��q�<��[ �T1��@a^!S(L��n;��ĩe~�w}ߥ��:&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��@��\��N��>�0ݙ��q�<��[ �T1��@a^!S(L��n;��ĩe~�w}ߥ��:&�+�/�,�0̨̩� �� /5� w �+3&$ Z�ЕH䃞�O ��{��]T0�L ih8�b Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.905221787958872, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b908e44eca56006106dadff8dfae1033", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0002\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\u0011\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0002\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\u0011\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000b\fZ\ufffd\u0415H\u40de\ufffdO\t\ufffd\ufffd{\ufffd\ufffd\u0002]T0\ufffdL ih8\b\ufffdb", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0002\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\u0011\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cdf51a5547ab783d3d477d6c9609e2958b640729", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0002\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\u0011\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd@\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0002\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\u0003\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\u0011\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd@\ufffd\ufffd\\\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffd0\u0759\ufffd\ufffd\ufffdq\ufffd<\ufffd\ufffd[ \ufffdT1\ufffd\ufffd@a^!S(L\ufffd\ufffdn;\ufffd\ufffd\u0129e~\ufffdw}\u07e5\ufffd\ufffd:&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��G��i�,�<�Ն�Y� ��Dia��`�� %�MQ�_:--�} &B%�� 7��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��G��i�,�<�Ն�Y� ��Dia��`�� %�MQ�_:--�}&B%��7��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��G��i�,�<�Ն�Y� ��Dia��`�� %�MQ�_:--�} &B%�� 7��&�+�/�,�0̨̩� �� /5� w �+3&$ V�'��+igd��L�f��^��E�=��-�j�] Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.838462093033531, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c3de4b4d67246fa09cd26dabb6463f1a", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\u0001\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:-\u0015-\ufffd}\u000b&B\u000f%\ufffd\u001e\ufffd\ufffd\u000b7\ufffd\u0006\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\u0001\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:-\u0015-\ufffd}\u000b&B\u000f%\ufffd\u001e\ufffd\ufffd\u000b7\ufffd\u0006\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 V\ufffd'\ufffd\ufffd+igd\ufffd\ufffdL\ufffdf\ufffd\ufffd^\ufffd\ufffd\ufffdE\ufffd=\ufffd\ufffd\u001a\ufffd-\ufffdj\ufffd]", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\u0001\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:-\u0015-\ufffd}\u000b&B\u000f%\ufffd\u001e\ufffd\ufffd\u000b7\ufffd\u0006\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ecf1a58ed7eb06d2032bdf72451ff921e02f1cfd", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\u0001\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:-\u0015-\ufffd}\u000b&B\u000f%\ufffd\u001e\ufffd\ufffd\u000b7\ufffd\u0006\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:--\ufffd}&B%\ufffd\ufffd\ufffd7\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\u0001\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:-\u0015-\ufffd}\u000b&B\u000f%\ufffd\u001e\ufffd\ufffd\u000b7\ufffd\u0006\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffdi\ufffd,\ufffd<\ufffd\u0546\ufffdY\ufffd\r\ufffd\ufffd\ufffd\ufffdDia\ufffd\ufffd`\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd%\ufffdMQ\ufffd_:--\ufffd}&B%\ufffd\ufffd\ufffd7\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��6�}U�J��?ӿG҆��TX/n'ޔv4� ,�8��a�Z��g/��B��^�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��6�}U�J��?ӿG҆��TX/n'ޔv4� ,�8��a�Z��g/��B��^�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��6�}U�J��?ӿG҆��TX/n'ޔv4� ,�8��a�Z��g/��B��^�&�+�/�,�0̨̩� �� /5� w �+3&$ m��CN��4?��Z�d�0�3�ұAw:K[ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.7911627527944205, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3fcf303404bdc897d50d5718dd1f95c1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036\b\ufffd}U\ufffd\u0003J\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdT\u0007X\/n'\u0794\u001ev4\ufffd ,\ufffd\u00018\u0010\u001f\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\u0012\/\ufffd\ufffd\ufffd\u0007\u001dB\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036\b\ufffd}U\ufffd\u0003J\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdT\u0007X\/n'\u0794\u001ev4\ufffd ,\ufffd\u00018\u0010\u001f\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\u0012\/\ufffd\ufffd\ufffd\u0007\u001dB\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 m\u0006\ufffd\ufffd\u001eCN\ufffd\u0000\ufffd4?\ufffd\ufffdZ\ufffd\u0018d\ufffd\b0\ufffd3\ufffd\u04b1Aw:\u000fK[", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036\b\ufffd}U\ufffd\u0003J\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdT\u0007X\/n'\u0794\u001ev4\ufffd ,\ufffd\u00018\u0010\u001f\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\u0012\/\ufffd\ufffd\ufffd\u0007\u001dB\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ab4d370f7bf65c0b6a8ae6cdff534bd78ecb497", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036\b\ufffd}U\ufffd\u0003J\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdT\u0007X\/n'\u0794\u001ev4\ufffd ,\ufffd\u00018\u0010\u001f\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\u0012\/\ufffd\ufffd\ufffd\u0007\u001dB\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd6\ufffd}U\ufffdJ\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdTX\/n'\u0794v4\ufffd ,\ufffd8\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\/\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00036\b\ufffd}U\ufffd\u0003J\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdT\u0007X\/n'\u0794\u001ev4\ufffd ,\ufffd\u00018\u0010\u001f\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\u0012\/\ufffd\ufffd\ufffd\u0007\u001dB\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd6\ufffd}U\ufffdJ\ufffd\ufffd\ufffd?\u04ffG\u0486\ufffd\ufffdTX\/n'\u0794v4\ufffd ,\ufffd8\ufffd\ufffda\ufffdZ\ufffd\ufffd\ufffdg\/\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��\@��rEZ�#@�̃{m 8�#f � �( �e�O�E��N��&��'��s�o��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��\@��rEZ�#@�̃{m 8�#f��( �e�O�E��N��&��'��s�o��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��\@��rEZ�#@�̃{m 8�#f � �( �e�O�E��N��&��'��s�o��&�+�/�,�0̨̩� �� /5� w �+3&$ ɫ�G$�ʰ�-��1� ��p9��A�igE�'oNF Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.850685395505501, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6956f2875e0a79d21959b39814bd76cb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\u001b@\b\ufffd\ufffdrE\u001fZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\f\ufffd\u0011\u000b\ufffd( \ufffde\ufffdO\u0012\ufffd\u0017E\u0007\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\u0015\ufffd\ufffds\ufffd\u001do\ufffd\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\u001b@\b\ufffd\ufffdrE\u001fZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\f\ufffd\u0011\u000b\ufffd( \ufffde\ufffdO\u0012\ufffd\u0017E\u0007\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\u0015\ufffd\ufffds\ufffd\u001do\ufffd\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u026b\ufffdG$\ufffd\u02b0\ufffd-\ufffd\ufffd1\ufffd\f\ufffd\ufffdp9\ufffd\ufffdA\ufffdigE\ufffd'oNF", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\u001b@\b\ufffd\ufffdrE\u001fZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\f\ufffd\u0011\u000b\ufffd( \ufffde\ufffdO\u0012\ufffd\u0017E\u0007\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\u0015\ufffd\ufffds\ufffd\u001do\ufffd\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc206fba165a1b91d01f3a167c9d95dbd41f470b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\u001b@\b\ufffd\ufffdrE\u001fZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\f\ufffd\u0011\u000b\ufffd( \ufffde\ufffdO\u0012\ufffd\u0017E\u0007\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\u0015\ufffd\ufffds\ufffd\u001do\ufffd\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\\@\ufffd\ufffdrEZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\ufffd\ufffd( \ufffde\ufffdO\ufffdE\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\ufffd\ufffds\ufffdo\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\\u001b@\b\ufffd\ufffdrE\u001fZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\f\ufffd\u0011\u000b\ufffd( \ufffde\ufffdO\u0012\ufffd\u0017E\u0007\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\u0015\ufffd\ufffds\ufffd\u001do\ufffd\ufffd\u001f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\\@\ufffd\ufffdrEZ\ufffd#@\ufffd\u0303{m\t8\ufffd#f\ufffd\ufffd( \ufffde\ufffdO\ufffdE\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffd&\ufffd\ufffd'\ufffd\ufffds\ufffdo\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��Z��7Q��e�U� � �1�w�jp�� "o%��C��_W�g�h�a�h��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Z��7Q��e�U� ��1�w�jp�� "o%��C��_W�g�h�a�h��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Z��7Q��e�U� � �1�w�jp�� "o%��C��_W�g�h�a�h��&�+�/�,�0̨̩� �� /5� w �+3&$ 1 _L� ;��F1P/�w��f��Vb�h�G Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.830310055786361, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fc06d1dc0600aa721f5264ad21c5ab63", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0006\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\u0018\ufffd\f\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\u001f\ufffd \u001e\ufffd\u0013\ufffd\"o%\ufffd\u0010\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd_W\ufffdg\ufffdh\ufffda\ufffd\u001dh\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0006\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\u0018\ufffd\f\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\u001f\ufffd \u001e\ufffd\u0013\ufffd\"o%\ufffd\u0010\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd_W\ufffdg\ufffdh\ufffda\ufffd\u001dh\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 1\u000b_\u000eL\ufffd\u0002\r;\ufffd\ufffdF1\u0007P\/\u0017\ufffdw\ufffd\ufffd\ufffdf\ufffd\ufffdVb\ufffdh\u0001\ufffdG", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0006\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\u0018\ufffd\f\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\u001f\ufffd \u001e\ufffd\u0013\ufffd\"o%\ufffd\u0010\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd_W\ufffdg\ufffdh\ufffda\ufffd\u001dh\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8ccf5fc10b88e60a5001c87b188508320af9d863", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0006\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\u0018\ufffd\f\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\u001f\ufffd \u001e\ufffd\u0013\ufffd\"o%\ufffd\u0010\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd_W\ufffdg\ufffdh\ufffda\ufffd\u001dh\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\ufffd\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\ufffd \ufffd\ufffd\"o%\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffd_W\ufffdg\ufffdh\ufffda\ufffdh\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0006\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\u0018\ufffd\f\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\u001f\ufffd \u001e\ufffd\u0013\ufffd\"o%\ufffd\u0010\ufffd\ufffdC\ufffd\ufffd\ufffd\u0006\ufffd_W\ufffdg\ufffdh\ufffda\ufffd\u001dh\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7Q\ufffd\ufffde\ufffdU\ufffd\n\ufffd\ufffd1\ufffdw\ufffdjp\ufffd\ufffd\ufffd \ufffd\ufffd\"o%\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffd_W\ufffdg\ufffdh\ufffda\ufffdh\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��;n�4�+1�Z�-ĝ��=Z�vS8Ŏԅ�� Uhk��P(VO: =-:�פuW%@�> Q&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��;n�4�+1�Z�-ĝ��=Z�vS8Ŏԅ�� Uhk��P(VO: =-:�פuW%@�> Q&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��;n�4�+1�Z�-ĝ��=Z�vS8Ŏԅ�� Uhk��P(VO: =-:�פuW%@�> Q&�+�/�,�0̨̩� �� /5� w �+3&$ g�_�Q�ZJe��vTӑ�#�� Lf�߹�W Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.804500013069031, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "aded4ec7db59ae476da39f8a71abaab5", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\u0018;\u0010n\ufffd4\ufffd+1\ufffdZ\u001e\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u0012\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\u0005\ufffd\ufffd\u001d\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\u0018;\u0010n\ufffd4\ufffd+1\ufffdZ\u001e\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u0012\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\u0005\ufffd\ufffd\u001d\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\u0017\ufffd_\ufffdQ\u0006\ufffdZJe\ufffd\ufffdvT\u04d1\ufffd#\u0017\ufffd\ufffd\nLf\b\u0017\ufffd\u07f9\ufffdW", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\u0018;\u0010n\ufffd4\ufffd+1\ufffdZ\u001e\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u0012\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\u0005\ufffd\ufffd\u001d\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "77e4b12e891fcfc65375f8025eae72558f03fb7a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\u0018;\u0010n\ufffd4\ufffd+1\ufffdZ\u001e\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u0012\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\u0005\ufffd\ufffd\u001d\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd;n\ufffd4\ufffd+1\ufffdZ\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\u0018;\u0010n\ufffd4\ufffd+1\ufffdZ\u001e\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u0012\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\u0005\ufffd\ufffd\u001d\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd;n\ufffd4\ufffd+1\ufffdZ\ufffd-\u011d\ufffd\ufffd=Z\ufffdvS8\u014e\u0505\ufffd\ufffd Uhk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP(VO:\n=-:\ufffd\u05e4uW%@\ufffd>\nQ&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��PI_{�� 9tn��f��cR��< 0��$��SE��ps��$B��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��PI_{��9tn��f��cR��< 0��$��SE��ps��$B��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��PI_{�� 9tn��f��cR��< 0��$��SE��ps��$B��&�+�/�,�0̨̩� �� /5� w �+3&$ .N�A7�}Z��j�H��Ad-q۰��]�m�^r Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.902752790194091, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b9f4322ef58e57190cadf75527fd85cd", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003PI_{\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u00079tn\ufffd\u0010\ufffd\u0014\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u001bcR\ufffd\ufffd\u0006< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003PI_{\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u00079tn\ufffd\u0010\ufffd\u0014\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u001bcR\ufffd\ufffd\u0006< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 .N\ufffdA7\ufffd}Z\ufffd\ufffd\ufffdj\ufffdH\u0012\ufffd\ufffdAd\u001f-q\u06f0\ufffd\ufffd]\ufffdm\ufffd^r", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003PI_{\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u00079tn\ufffd\u0010\ufffd\u0014\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u001bcR\ufffd\ufffd\u0006< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d06e51b2f2a786cca91cee6c7129f7facc58083", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003PI_{\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u00079tn\ufffd\u0010\ufffd\u0014\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u001bcR\ufffd\ufffd\u0006< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdPI_{\ufffd\ufffd\ufffd\ufffd\ufffd9tn\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdcR\ufffd\ufffd< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003PI_{\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u00079tn\ufffd\u0010\ufffd\u0014\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffd\u001bcR\ufffd\ufffd\u0006< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\u0003\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdPI_{\ufffd\ufffd\ufffd\ufffd\ufffd9tn\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdcR\ufffd\ufffd< 0\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffdSE\ufffd\ufffd\ufffd\ufffdps\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$B\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��rCoH�csŹ� 1�O��_�:m�:�ݨ� �f�&��܅8ԎU�e͛�ͩ�]��\f�%&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��rCoH�csŹ� 1�O��_�:m�:�ݨ� �f�&��܅8ԎU�e͛�ͩ�]��\f�%&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��rCoH�csŹ� 1�O��_�:m�:�ݨ� �f�&��܅8ԎU�e͛�ͩ�]��\f�%&�+�/�,�0̨̩� �� /5� w �+3&$ k��u��7��ڢ(��R��l�&�+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8458199860198405, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c4c963cc683f1a7634a05a7efc53992b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rCoH\u0000\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\u001b\ufffd\u0002\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u001c\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\u001f\u0003\ufffd\\f\u0002\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rCoH\u0000\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\u001b\ufffd\u0002\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u001c\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\u001f\u0003\ufffd\\f\u0002\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 k\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu\u000f\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd\u06a2(\ufffd\ufffdR\ufffd\ufffd\ufffd\u0017l\ufffd&\ufffd+", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rCoH\u0000\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\u001b\ufffd\u0002\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u001c\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\u001f\u0003\ufffd\\f\u0002\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ceea189d6eb14249c6a5d7c56803feb0202c6bb4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rCoH\u0000\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\u001b\ufffd\u0002\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u001c\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\u001f\u0003\ufffd\\f\u0002\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdrCoH\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\ufffd\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\ufffd\\f\ufffd%&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rCoH\u0000\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\u001b\ufffd\u0002\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u001c\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\u001f\u0003\ufffd\\f\u0002\ufffd%\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdrCoH\ufffdcs\u0179\ufffd\r1\ufffdO\ufffd\ufffd\ufffd_\ufffd:m\ufffd:\ufffd\u0768\ufffd \ufffdf\ufffd&\ufffd\ufffd\u07058\u050eU\ufffde\u035b\ufffd\u0369\ufffd]\ufffd\ufffd\\f\ufffd%&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��#Iu�Jk�[��x��Gݬ��x}�Z � ��L!��W {K&�OB=��DɋA�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��#Iu�Jk�[��x��Gݬ��x}�Z � ��L!��W {K&�OB=��DɋA�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��#Iu�Jk�[��x��Gݬ��x}�Z � ��L!��W {K&�OB=��DɋA�&�+�/�,�0̨̩� �� /5� w �+3&$ s�(��J��W�� ��܊C�Cj Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.837579604742821, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d80aa53499a122ce18a738880fb7f0bc", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd#Iu\ufffd\u0003Jk\ufffd[\ufffd\u001a\ufffdx\u001e\ufffd\ufffd\ufffdG\u076c\u001e\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\u001e\ufffd\u001a\ufffdL!\u001a\u0004\ufffd\ufffd\ufffd\u0018\ufffdW {K\u0019&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd#Iu\ufffd\u0003Jk\ufffd[\ufffd\u001a\ufffdx\u001e\ufffd\ufffd\ufffdG\u076c\u001e\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\u001e\ufffd\u001a\ufffdL!\u001a\u0004\ufffd\ufffd\ufffd\u0018\ufffdW {K\u0019&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \bs\ufffd(\ufffd\ufffd\ufffdJ\ufffd\ufffdW\ufffd\u001d\ufffd\ufffd\u0001\f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\u070aC\ufffdCj", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd#Iu\ufffd\u0003Jk\ufffd[\ufffd\u001a\ufffdx\u001e\ufffd\ufffd\ufffdG\u076c\u001e\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\u001e\ufffd\u001a\ufffdL!\u001a\u0004\ufffd\ufffd\ufffd\u0018\ufffdW {K\u0019&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f8315a12ec66deefe64af6d4615ee60644f9c4aa", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd#Iu\ufffd\u0003Jk\ufffd[\ufffd\u001a\ufffdx\u001e\ufffd\ufffd\ufffdG\u076c\u001e\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\u001e\ufffd\u001a\ufffdL!\u001a\u0004\ufffd\ufffd\ufffd\u0018\ufffdW {K\u0019&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd#Iu\ufffdJk\ufffd[\ufffd\ufffdx\ufffd\ufffd\ufffdG\u076c\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\ufffd\ufffdL!\ufffd\ufffd\ufffd\ufffdW {K&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd#Iu\ufffd\u0003Jk\ufffd[\ufffd\u001a\ufffdx\u001e\ufffd\ufffd\ufffdG\u076c\u001e\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\u001e\ufffd\u001a\ufffdL!\u001a\u0004\ufffd\ufffd\ufffd\u0018\ufffdW {K\u0019&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd#Iu\ufffdJk\ufffd[\ufffd\ufffdx\ufffd\ufffd\ufffdG\u076c\ufffd\ufffdx}\ufffdZ\t\ufffd \ufffd\ufffd\ufffdL!\ufffd\ufffd\ufffd\ufffdW {K&\ufffdOB=\ufffd\ufffdD\u024bA\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ����s�f��C��٩f�p�As�:.c� &�v��]"��!$S�A�>��{��)R�ڂ&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ����s�f��C��٩f�p�As�:.c� &�v��]"��!$S�A�>��{��)R�ڂ&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ����s�f��C��٩f�p�As�:.c� &�v��]"��!$S�A�>��{��)R�ڂ&�+�/�,�0̨̩� �� /5� w �+3&$ �vs�)�+�p]] Μ�S>�� N��% Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.7299943029655225, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ce06eaf3d62a255431a248bec6d1c593", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\u0003f\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!\u0000$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\u0010\ufffd\ufffd)R\ufffd\u0004\u0682\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\u0003f\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!\u0000$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\u0010\ufffd\ufffd)R\ufffd\u0004\u0682\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdvs\u0018\ufffd)\ufffd+\ufffdp\u001e\u0004]] \u039c\ufffdS>\ufffd\ufffd\u001f \ufffd\u000bN\ufffd\ufffd\u0000%", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\u0003f\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!\u0000$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\u0010\ufffd\ufffd)R\ufffd\u0004\u0682\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "600808015774261dade6e745749366b5073a730f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\u0003f\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!\u0000$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\u0010\ufffd\ufffd)R\ufffd\u0004\u0682\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds\ufffdf\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\ufffd\ufffd)R\ufffd\u0682&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds\ufffd\u0003f\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!\u0000$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\u0010\ufffd\ufffd)R\ufffd\u0004\u0682\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffds\ufffdf\ufffd\ufffd\ufffdC\ufffd\ufffd\u0669f\ufffdp\ufffdAs\ufffd:.c\ufffd &\ufffdv\ufffd\ufffd]\"\ufffd\ufffd!$S\ufffd\u0088A\ufffd>\ufffd\ufffd\ufffd{\ufffd\ufffd)R\ufffd\u0682&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��k1>� ��:�Kic��S��^B"�l�� /�� bq�[z��Ob� �_l�>��5p~�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��k1>� ��:�Kic��S��^B"�l�� /�� bq�[z��Ob��_l�>��5p~�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��k1>� ��:�Kic��S��^B"�l�� /�� bq�[z��Ob� �_l�>��5p~�&�+�/�,�0̨̩� �� /5� w �+3&$ Y�I6BҺ2��M�7 �c��^&'�� H Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8234626447662645, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "99c196e6004745ba3e31751888922796", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk1>\b\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^\u0002\u0014B\"\ufffd\u000e\u0002l\ufffd\ufffd\ufffd \ufffd\/\ufffd\u0005\u0012\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\u000b\ufffd_\u000e\u001cl\ufffd>\ufffd\ufffd5p~\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk1>\b\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^\u0002\u0014B\"\ufffd\u000e\u0002l\ufffd\ufffd\ufffd \ufffd\/\ufffd\u0005\u0012\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\u000b\ufffd_\u000e\u001cl\ufffd>\ufffd\ufffd5p~\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Y\ufffdI6B\u04ba\u00102\ufffd\ufffdM\u001e\ufffd7\f\ufffd\u001ac\ufffd\ufffd\ufffd^&'\ufffd\ufffd\r\ufffdH", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk1>\b\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^\u0002\u0014B\"\ufffd\u000e\u0002l\ufffd\ufffd\ufffd \ufffd\/\ufffd\u0005\u0012\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\u000b\ufffd_\u000e\u001cl\ufffd>\ufffd\ufffd5p~\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89ee787b9c553a622bdf0c471710790d4a09d16f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk1>\b\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^\u0002\u0014B\"\ufffd\u000e\u0002l\ufffd\ufffd\ufffd \ufffd\/\ufffd\u0005\u0012\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\u000b\ufffd_\u000e\u001cl\ufffd>\ufffd\ufffd5p~\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffdk1>\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^B\"\ufffdl\ufffd\ufffd\ufffd \ufffd\/\ufffd\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\ufffd_l\ufffd>\ufffd\ufffd5p~\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk1>\b\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^\u0002\u0014B\"\ufffd\u000e\u0002l\ufffd\ufffd\ufffd \ufffd\/\ufffd\u0005\u0012\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\u000b\ufffd_\u000e\u001cl\ufffd>\ufffd\ufffd5p~\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdk1>\ufffd\r\ufffd\ufffd\ufffd:\ufffdKic\ufffd\ufffdS\ufffd\ufffd^B\"\ufffdl\ufffd\ufffd\ufffd \ufffd\/\ufffd\ufffd\n\ufffdbq\ufffd[z\ufffd\ufffdOb\ufffd\ufffd_l\ufffd>\ufffd\ufffd5p~\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��N' M�6�1L)Egx��V� ��59 =.B�C6�8�ܺ+l��Ȉ��s�ާ��Ł>�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��N' M�6�1L)Egx��V� ��59 =.B�C6�8�ܺ+l��Ȉ��s�ާ��Ł>�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��N' M�6�1L)Egx��V� ��59 =.B�C6�8�ܺ+l��Ȉ��s�ާ��Ł>�&�+�/�,�0̨̩� �� /5� w �+3&$ �$��>��HȨ�g��h"��e/�U� �l�' Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.85009246893614, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d2052a09dcf6664149eac2ee69c96658", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffdN'\t\u0005M\u001d\ufffd6\ufffd1L\u001c\u0006)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\u000e\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\u0004\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffdN'\t\u0005M\u001d\ufffd6\ufffd1L\u001c\u0006)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\u000e\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\u0004\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd$\ufffd\ufffd\ufffd>\ufffd\ufffdH\u0228\ufffdg\ufffd\ufffd\u000fh\"\u0006\ufffd\u0019\ufffde\/\ufffdU\ufffd\f\ufffdl\ufffd'", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffdN'\t\u0005M\u001d\ufffd6\ufffd1L\u001c\u0006)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\u000e\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\u0004\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c4815a652be617d4c861a69c7b7661c1426468b2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffdN'\t\u0005M\u001d\ufffd6\ufffd1L\u001c\u0006)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\u000e\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\u0004\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffdN'\tM\ufffd6\ufffd1L)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffdN'\t\u0005M\u001d\ufffd6\ufffd1L\u001c\u0006)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\u000e\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\u0004\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdN'\tM\ufffd6\ufffd1L*)Egx\ufffd\ufffd\ufffd\ufffdV\ufffd\t\ufffd\ufffd59 =.B\ufffdC6\ufffd8\ufffd\u073a+l\ufffd\ufffd\u0208\ufffd\ufffd\ufffds\ufffd\u07a7\ufffd\ufffd\ufffd\u0141>\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��b�nT��T�y�G�=D�� h��>� r� �g �O͗�'�N�v�N��%bp欕��à�̺&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��b�nT��T�y�G�=D�� h��>� r� �g �O͗�'�N�v�N��%bp欕��à�̺&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��b�nT��T�y�G�=D�� h��>� r� �g �O͗�'�N�v�N��%bp欕��à�̺&�+�/�,�0̨̩� �� /5� w �+3&$ ��P8��k��ݨ��= ��5o��f� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.856286131446339, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4e0cce1155921f954bf0ec2575b7c124", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002b\u0017\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd\u001a \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%\u000ebp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002b\u0017\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd\u001a \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%\u000ebp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0019\ufffdP8\ufffd\ufffdk\ufffd\ufffd\u0768\u0000\ufffd\ufffd\ufffd=\r\ufffd\ufffd5o\ufffd\ufffd\u0013\ufffd\ufffdf\ufffd\u000e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002b\u0017\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd\u001a \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%\u000ebp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93fce8bc5ca7699a4693ecf23cb148db52939514", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002b\u0017\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd\u001a \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%\u000ebp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffdb\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%bp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002b\u0017\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd\u001a \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%\u000ebp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdb\ufffdnT\ufffd\ufffdT\ufffdy\ufffdG\ufffd=D\ufffd\ufffd\ufffd\rh\ufffd\ufffd\ufffd>\ufffd\tr\ufffd \ufffdg\r\ufffdO\u0357\ufffd'\ufffdN\ufffdv\ufffdN\ufffd\ufffd\ufffd%bp\u6b15\ufffd\ufffd\u00e0\ufffd\u033a&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��rRR�+��^�� p��y�q�"��?� ky��E��xRˣa&[��'QDv��}��K�'�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��rRR�+��^�� p��y�q�"��?� ky��E��xRˣa&[��'QDv��}��K�'�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��rRR�+��^�� p��y�q�"��?� ky��E��xRˣa&[��'QDv��}��K�'�&�+�/�,�0̨̩� �� /5� w �+3&$ ��؉��A(p��2�EŦ��Mg7 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.855549344243185, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bf21dd37181d9a0282a4a9ece074c0f0", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rR\u0012R\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QD\u0001v\ufffd\ufffd}\ufffd\u0015\ufffd\ufffdK\ufffd'\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rR\u0012R\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QD\u0001v\ufffd\ufffd}\ufffd\u0015\ufffd\ufffdK\ufffd'\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0006\ufffd\ufffd\ufffd\u0016\u0609\ufffd\ufffdA(p\ufffd\u0019\ufffd\ufffd2\ufffd\u0018E\u0166\ufffd\u0019\u0015\ufffd\ufffdM\b\u0005g7", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rR\u0012R\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QD\u0001v\ufffd\ufffd}\ufffd\u0015\ufffd\ufffdK\ufffd'\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ef19c635ed3488feb86a523dc245a29f4654cce0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rR\u0012R\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QD\u0001v\ufffd\ufffd}\ufffd\u0015\ufffd\ufffdK\ufffd'\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdrRR\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QDv\ufffd\ufffd}\ufffd\ufffd\ufffdK\ufffd'\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rR\u0012R\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\u0006\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QD\u0001v\ufffd\ufffd}\ufffd\u0015\ufffd\ufffdK\ufffd'\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdrRR\ufffd+\ufffd\ufffd^\ufffd\ufffd\tp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdq\ufffd\"\ufffd\ufffd\ufffd\ufffd?\ufffd ky\ufffd\ufffdE\ufffd\ufffdxR\u02e3a&[\ufffd\ufffd'QDv\ufffd\ufffd}\ufffd\ufffd\ufffdK\ufffd'\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��֪� �BK�<"}fХ� ��lV<��P�;� �E�cq��Nb��::}2i��k�mIϪ�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��֪� �BK�<"}fХ� ��lV<��P�;� �E�cq��Nb��::}2i��k�mIϪ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��֪� �BK�<"}fХ� ��lV<��P�;� �E�cq��Nb��::}2i��k�mIϪ�&�+�/�,�0̨̩� �� /5� w �+3&$ �#-r/��R4O��;��b ��Qq�7EI��w4 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.854459867050261, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dcb1c3ebc5bc62acd05df89c95dda5c3", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05aa\ufffd\u0003\r\ufffdBK\ufffd<\"\u0000}f\u0425\ufffd\r\ufffd\ufffdlV<\u001b\ufffd\ufffd\u001aP\ufffd;\ufffd \ufffd\u0017E\ufffdcq\ufffd\ufffdNb\u000f\ufffd\ufffd\ufffd\ufffd::\u0015}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd\u0007\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05aa\ufffd\u0003\r\ufffdBK\ufffd<\"\u0000}f\u0425\ufffd\r\ufffd\ufffdlV<\u001b\ufffd\ufffd\u001aP\ufffd;\ufffd \ufffd\u0017E\ufffdcq\ufffd\ufffdNb\u000f\ufffd\ufffd\ufffd\ufffd::\u0015}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd\u0007\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0011#-r\/\ufffd\ufffdR4O\ufffd\u0007\ufffd;\ufffd\ufffdb\f\ufffd\ufffdQq\ufffd7EI\ufffd\ufffd\ufffdw4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05aa\ufffd\u0003\r\ufffdBK\ufffd<\"\u0000}f\u0425\ufffd\r\ufffd\ufffdlV<\u001b\ufffd\ufffd\u001aP\ufffd;\ufffd \ufffd\u0017E\ufffdcq\ufffd\ufffdNb\u000f\ufffd\ufffd\ufffd\ufffd::\u0015}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd\u0007\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1caa45d3f996e096bf04a92ff6de2b08e1acf545", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05aa\ufffd\u0003\r\ufffdBK\ufffd<\"\u0000}f\u0425\ufffd\r\ufffd\ufffdlV<\u001b\ufffd\ufffd\u001aP\ufffd;\ufffd \ufffd\u0017E\ufffdcq\ufffd\ufffdNb\u000f\ufffd\ufffd\ufffd\ufffd::\u0015}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd\u0007\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\u05aa\ufffd\r\ufffdBK\ufffd<\"}f\u0425\ufffd\r\ufffd\ufffdlV<\ufffd\ufffdP\ufffd;\ufffd \ufffdE\ufffdcq\ufffd\ufffdNb\ufffd\ufffd\ufffd\ufffd::}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05aa\ufffd\u0003\r\ufffdBK\ufffd<\"\u0000}f\u0425\ufffd\r\ufffd\ufffdlV<\u001b\ufffd\ufffd\u001aP\ufffd;\ufffd \ufffd\u0017E\ufffdcq\ufffd\ufffdNb\u000f\ufffd\ufffd\ufffd\ufffd::\u0015}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd\u0007\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u05aa\ufffd\r\ufffdBK\ufffd<\"}f\u0425\ufffd\r\ufffd\ufffdlV<\ufffd\ufffdP\ufffd;\ufffd \ufffdE\ufffdcq\ufffd\ufffdNb\ufffd\ufffd\ufffd\ufffd::}2i\ufffd\ufffdk\ufffdmI\u03ea\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��͓�R��Zi�y��0-H�.��o �j��;��T��P��=��$��̛h[&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��͓�R��Zi�y��0-H�.��o �j��;��T��P��=��$��̛h[&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��͓�R��Zi�y��0-H�.��o �j��;��T��P��=��$��̛h[&�+�/�,�0̨̩� �� /5� w �+3&$ ��I��9��zƠ��Ȧ7�S�H�fku9�W Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.900198024004927, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b7ca00e8ef5073ec7934d18135eed299", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0353\u0007\ufffdR\u0017\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\u001f\ufffd0-H\ufffd.\u000f\ufffd\u0011\ufffdo\u001f\u0001 \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\u000e\ufffd\ufffd\ufffd\ufffdP\ufffd\u001f\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0353\u0007\ufffdR\u0017\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\u001f\ufffd0-H\ufffd.\u000f\ufffd\u0011\ufffdo\u001f\u0001 \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\u000e\ufffd\ufffd\ufffd\ufffdP\ufffd\u001f\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdI\ufffd\ufffd9\u0015\ufffd\ufffd\ufffdz\u01a0\ufffd\ufffd\u02267\ufffdS\ufffd\u0006H\ufffdfku9\u0017\ufffdW", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0353\u0007\ufffdR\u0017\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\u001f\ufffd0-H\ufffd.\u000f\ufffd\u0011\ufffdo\u001f\u0001 \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\u000e\ufffd\ufffd\ufffd\ufffdP\ufffd\u001f\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f3f7de73cd00508f021810e3cca1348dba109f1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0353\u0007\ufffdR\u0017\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\u001f\ufffd0-H\ufffd.\u000f\ufffd\u0011\ufffdo\u001f\u0001 \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\u000e\ufffd\ufffd\ufffd\ufffdP\ufffd\u001f\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u0353\ufffdR\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\ufffd0-H\ufffd.\ufffd\ufffdo \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0353\u0007\ufffdR\u0017\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\u001f\ufffd0-H\ufffd.\u000f\ufffd\u0011\ufffdo\u001f\u0001 \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\u000e\ufffd\ufffd\ufffd\ufffdP\ufffd\u001f\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u0353\ufffdR\ufffd\ufffd\ufffd\ufffdZi\ufffdy\ufffd\ufffd\ufffd0-H\ufffd.\ufffd\ufffdo \ufffdj\ufffd\ufffd;\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u031bh[&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��w��Pc�]�{Ʊ&�L�ף��C�.�Z* �4�Ӄ��L�_�L�2;S�Tj�7נ�%)��G&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��w��Pc�]�{Ʊ&�L�ף��C�.�Z* �4�Ӄ��L�_�L�2;S�Tj�7נ�%)��G&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��w��Pc�]�{Ʊ&�L�ף��C�.�Z* �4�Ӄ��L�_�L�2;S�Tj�7נ�%)��G&�+�/�,�0̨̩� �� /5� w �+3&$ 8DfZf�9՗�?�8m2��B�?��YXmh Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.831994444001859, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0a2d4a30190539c31101e64a41232e51", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\u001d\ufffd\u05e3\ufffd\ufffd\ufffd\u001aC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffd\u0001L\ufffd_\ufffdL\ufffd\u00172\u0001;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\u001d\ufffd\u05e3\ufffd\ufffd\ufffd\u001aC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffd\u0001L\ufffd_\ufffdL\ufffd\u00172\u0001;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 8DfZf\ufffd9\u0557\ufffd?\ufffd8m2\ufffd\ufffd\u0001B\ufffd?\u0010\u0015\u0005\ufffd\ufffdY\u0010X\u0001mh", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\u001d\ufffd\u05e3\ufffd\ufffd\ufffd\u001aC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffd\u0001L\ufffd_\ufffdL\ufffd\u00172\u0001;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "522060d87d711cf21f6c71e1887fa41b880e7c08", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\u001d\ufffd\u05e3\ufffd\ufffd\ufffd\u001aC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffd\u0001L\ufffd_\ufffdL\ufffd\u00172\u0001;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\ufffd\u05e3\ufffd\ufffd\ufffdC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffdL\ufffd_\ufffdL\ufffd2;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\u001d\ufffd\u05e3\ufffd\ufffd\ufffd\u001aC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffd\u0001L\ufffd_\ufffdL\ufffd\u00172\u0001;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffdPc\ufffd]\ufffd{\u01b1&\ufffdL\ufffd\u05e3\ufffd\ufffd\ufffdC\ufffd.\ufffdZ* \ufffd4\ufffd\u04c3\ufffd\ufffdL\ufffd_\ufffdL\ufffd2;S\ufffdTj\ufffd7\u05e0\ufffd%)\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��g� ��X�Y� �S�U_�]��}#[Z�f ��`��fE�� $-c�A��ƾ�� ī �&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��g� ��X�Y� �S�U_�]��}#[Z�f ��`��fE�� $-c�A��ƾ��ī �&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��g� ��X�Y� �S�U_�]��}#[Z�f ��`��fE�� $-c�A��ƾ�� ī �&�+�/�,�0̨̩� �� /5� w �+3&$ ؈m��l��֦�L^�PD��G��僭�3 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.853626479067588, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8ffe6b5ff5e035dbeae449ef5ad2bd73", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g\ufffd\n\ufffd\ufffd\ufffd\u001bX\ufffdY\ufffd\n\u0012\ufffdS\ufffdU_\ufffd]\ufffd\ufffd\u0016\ufffd}#[Z\ufffdf \ufffd\u0015\ufffd`\u001f\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\f\ufffd\u012b \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g\ufffd\n\ufffd\ufffd\ufffd\u001bX\ufffdY\ufffd\n\u0012\ufffdS\ufffdU_\ufffd]\ufffd\ufffd\u0016\ufffd}#[Z\ufffdf \ufffd\u0015\ufffd`\u001f\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\f\ufffd\u012b \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0608m\u0017\ufffd\ufffdl\ufffd\ufffd\u05a6\ufffd\u0003L^\ufffdPD\u0001\u001c\ufffd\ufffdG\ufffd\u0017\ufffd\u50ed\ufffd\b3", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g\ufffd\n\ufffd\ufffd\ufffd\u001bX\ufffdY\ufffd\n\u0012\ufffdS\ufffdU_\ufffd]\ufffd\ufffd\u0016\ufffd}#[Z\ufffdf \ufffd\u0015\ufffd`\u001f\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\f\ufffd\u012b \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95f0ab1c4291218eeaef27c221c262568b3b0437", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g\ufffd\n\ufffd\ufffd\ufffd\u001bX\ufffdY\ufffd\n\u0012\ufffdS\ufffdU_\ufffd]\ufffd\ufffd\u0016\ufffd}#[Z\ufffdf \ufffd\u0015\ufffd`\u001f\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\f\ufffd\u012b \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdg\ufffd\n\ufffd\ufffd\ufffdX\ufffdY\ufffd\n\ufffdS\ufffdU_\ufffd]\ufffd\ufffd\ufffd}#[Z\ufffdf \ufffd\ufffd`\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\ufffd\u012b \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003g\ufffd\n\ufffd\ufffd\ufffd\u001bX\ufffdY\ufffd\n\u0012\ufffdS\ufffdU_\ufffd]\ufffd\ufffd\u0016\ufffd}#[Z\ufffdf \ufffd\u0015\ufffd`\u001f\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\f\ufffd\u012b \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdg\ufffd\n\ufffd\ufffd\ufffdX\ufffdY\ufffd\n\ufffdS*\ufffdU_\ufffd]\ufffd\ufffd\ufffd}#[Z\ufffdf \ufffd\ufffd`\ufffd\ufffdfE\ufffd\ufffd\ufffd\t$-c\ufffdA\ufffd\ufffd\u01be\ufffd\ufffd\ufffd\ufffd\ufffd\u012b \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��5Y�Y�u�]�s�2��E��ԁ��D�� 3a(s&�] ��h�eŜK1��SR�ꢐ1�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��5Y�Y�u�]�s�2��E��ԁ��D�� 3a(s&�]��h�eŜK1��SR�ꢐ1�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��5Y�Y�u�]�s�2��E��ԁ��D�� 3a(s&�] ��h�eŜK1��SR�ꢐ1�&�+�/�,�0̨̩� �� /5� w �+3&$ �<w��t��65l�s�}�I{��D�8�i Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.825162945839768, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0858a778b16c1baa73881522ca3e8bc7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\u0016\ufffd\ufffd\u0017\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffd\u0002D\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\u000b\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\u0016\ufffd\ufffd\u0017\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffd\u0002D\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\u000b\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd<w\ufffd\ufffd\ufffd\u0002\ufffdt\ufffd\ufffd\ufffd65l\ufffds\ufffd}\ufffdI{\ufffd\ufffd\ufffdD\ufffd8\ufffdi", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\u0016\ufffd\ufffd\u0017\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffd\u0002D\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\u000b\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89eea407d07c6d30b26d4d898eaa49945fe18692", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\u0016\ufffd\ufffd\u0017\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffd\u0002D\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\u000b\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffdD\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\u0016\ufffd\ufffd\u0017\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffd\u0002D\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\u000b\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd5Y\ufffdY\ufffdu\ufffd]\ufffds\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdE\ufffd\ufffd\u0501\ufffd\ufffdD\ufffd\ufffd\ufffd \ufffd3a(s&\ufffd]\ufffd\ufffd\ufffdh\ufffde\u015c\uec16K1\ufffd\ufffdSR\ufffd\ua8901\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��M�ʹ�z�t�C`ṩ�I��O�x_i�� L \|1D��j��EO&z#��u�?=' �@~^�Ix2&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��M�ʹ�z�t�C`ṩ�I��O�x_i�� L \|1D��j��EO&z#��u�?=' �@~^�Ix2&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��M�ʹ�z�t�C`ṩ�I��O�x_i�� L \|1D��j��EO&z#��u�?=' �@~^�Ix2&�+�/�,�0̨̩� �� /5� w �+3&$ ��J��=��/��=gFm4��?�2�j��O Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.816856032817601, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "41ecc3b096113676ac1fc3e8df62529e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\u02b9\ufffdz\u0015\ufffd\u0002t\ufffdC`\u1e69\ufffd\u0002I\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\u0003\nL \|\u00111D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd\u0014@~^\u0018\ufffdIx2\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\u02b9\ufffdz\u0015\ufffd\u0002t\ufffdC`\u1e69\ufffd\u0002I\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\u0003\nL \|\u00111D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd\u0014@~^\u0018\ufffdIx2\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdJ\ufffd\ufffd\ufffd=\ufffd\ufffd\/\ufffd\ufffd\ufffd=gFm\b4\ufffd\ufffd\ufffd\ufffd?\ufffd2\ufffdj\ufffd\ufffdO", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\u02b9\ufffdz\u0015\ufffd\u0002t\ufffdC`\u1e69\ufffd\u0002I\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\u0003\nL \|\u00111D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd\u0014@~^\u0018\ufffdIx2\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eae3e51070721104a9fca50ed7bc4a576b8d5ba8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\u02b9\ufffdz\u0015\ufffd\u0002t\ufffdC`\u1e69\ufffd\u0002I\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\u0003\nL \|\u00111D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd\u0014@~^\u0018\ufffdIx2\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdM\ufffd\u02b9\ufffdz\ufffdt\ufffdC`\u1e69\ufffdI\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\nL \|1D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd@~^\ufffdIx2&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\u02b9\ufffdz\u0015\ufffd\u0002t\ufffdC`\u1e69\ufffd\u0002I\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\u0003\nL \|\u00111D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd\u0014@~^\u0018\ufffdIx2\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdM\ufffd\u02b9\ufffdz\ufffdt\ufffdC`\u1e69\ufffdI\ufffd\ufffdO\ufffdx_i\ufffd\ufffd\nL \|1D\ufffd\ufffdj\ufffd\ufffdEO&z#\ufffd\ufffdu\ufffd?='\t\ufffd@~^\ufffdIx2&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��B��>C%�a@�k�� l��!�`��<P P��r��E~l��c��bc��?��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��B��>C%�a@�k�� l��!�`��<P P��r��E~l��c��bc��?��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��B��>C%�a@�k�� l��!�`��<P P��r��E~l��c��bc��?��&�+�/�,�0̨̩� �� /5� w �+3&$ �q��[7��4��e�Y��JQn.4n=�`#, Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.9202635983636185, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3e1187a13ebe4873a5ab6f2164132a38", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003B\ufffd\ufffd>\u001aC%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd\b!\ufffd\u0007\u0004`\ufffd\ufffd<P P\ufffd\ufffd\u001d\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\u001e\ufffd\ufffdc\ufffd\ufffdbc\ufffd\u000e\ufffd?\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003B\ufffd\ufffd>\u001aC%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd\b!\ufffd\u0007\u0004`\ufffd\ufffd<P P\ufffd\ufffd\u001d\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\u001e\ufffd\ufffdc\ufffd\ufffdbc\ufffd\u000e\ufffd?\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdq\ufffd\ufffd[7\ufffd\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffde\ufffdY\ufffd\ufffdJQn.4\u0006n=\ufffd`#,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003B\ufffd\ufffd>\u001aC%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd\b!\ufffd\u0007\u0004`\ufffd\ufffd<P P\ufffd\ufffd\u001d\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\u001e\ufffd\ufffdc\ufffd\ufffdbc\ufffd\u000e\ufffd?\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56d8030fcc5cc70d13ee84b68940a06073d91372", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003B\ufffd\ufffd>\u001aC%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd\b!\ufffd\u0007\u0004`\ufffd\ufffd<P P\ufffd\ufffd\u001d\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\u001e\ufffd\ufffdc\ufffd\ufffdbc\ufffd\u000e\ufffd?\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffdB\ufffd\ufffd>C%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd!\ufffd`\ufffd\ufffd<P P\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffd\ufffdbc\ufffd\ufffd?\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003B\ufffd\ufffd>\u001aC%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd\b!\ufffd\u0007\u0004`\ufffd\ufffd<P P\ufffd\ufffd\u001d\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\u001e\ufffd\ufffdc\ufffd\ufffdbc\ufffd\u000e\ufffd?\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdB\ufffd\ufffd>C%\ufffda@\ufffdk\ufffd\ufffd\ufffd\ufffd\rl\ufffd\ufffd!\ufffd`\ufffd\ufffd<P P\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffdE~l\ufffd\ufffd\ufffd\ufffd\ufffdc\ufffd\ufffdbc\ufffd\ufffd?\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��0O-<��`{e��"�ķg �� }��zY`,�c��FVdnx��<�y��^&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��0O-<��`{e��"�ķg �� }��zY`,�c��FVdnx��<�y��^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��0O-<��`{e��"�ķg �� }��zY`,�c��FVdnx��<�y��^&�+�/�,�0̨̩� �� /5� w �+3&$ �7{؉��UB�L��wqX�OUM�H�h Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.802363983312503, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ef660a467d037f68c46def0b1f946025", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030O-<\ufffd\ufffd`\u0014{e\u0003\ufffd\ufffd\u001d\ufffd\u0018\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd\u001d\u0014 \ufffd}\u0014\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\u001c\ufffd\ufffd\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030O-<\ufffd\ufffd`\u0014{e\u0003\ufffd\ufffd\u001d\ufffd\u0018\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd\u001d\u0014 \ufffd}\u0014\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\u001c\ufffd\ufffd\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd7{\u0609\u001a\ufffd\ufffd\ufffdUB\ufffdL\ufffd\u0013\ufffdw\u001fqX\u0001\ufffd\u0001\u0006OU\u0006M\ufffdH\ufffdh", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030O-<\ufffd\ufffd`\u0014{e\u0003\ufffd\ufffd\u001d\ufffd\u0018\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd\u001d\u0014 \ufffd}\u0014\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\u001c\ufffd\ufffd\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "00ca2bfbb7edea1c3b14d5d9ab4e28f7fe6d2292", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030O-<\ufffd\ufffd`\u0014{e\u0003\ufffd\ufffd\u001d\ufffd\u0018\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd\u001d\u0014 \ufffd}\u0014\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\u001c\ufffd\ufffd\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd0O-<\ufffd\ufffd`{e\ufffd\ufffd\ufffd\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd}\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\ufffd\ufffd\ufffd\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030O-<\ufffd\ufffd`\u0014{e\u0003\ufffd\ufffd\u001d\ufffd\u0018\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd\u001d\u0014 \ufffd}\u0014\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\u001c\ufffd\ufffd\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd0O-<\ufffd\ufffd`{e\ufffd\ufffd\ufffd\"\ufffd\u0137g\r\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd}\ufffd\ufffdzY`,\ufffdc\ufffd\ufffdFVdnx\ufffd\ufffd\ufffd\ufffd<\ufffdy\ufffd\ufffd\ufffd\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��e�yA�&�:��MNv��c��8śc�. ��-5��k�Ȩ�A��OZ\|-��DF�u&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��e�yA�&�:��MNv��c��8śc�. ��-5��k�Ȩ�A��OZ\|-��DF�u&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��e�yA�&�:��MNv��c��8śc�. ��-5��k�Ȩ�A��OZ\|-��DF�u&�+�/�,�0̨̩� �� /5� w �+3&$ ��Ú��⓫I޳�-� ��SGh Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8068228438721405, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d3a2c2c6959503a065c3e6aeb4ffea83", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde\ufffd\u0015y\u001eA\ufffd&\ufffd:\u0015\ufffd\ufffdMNv\ufffd\ufffdc\b\ufffd\ufffd8\u015bc\ufffd\u0005.\u0013 \ufffd\ufffd\ufffd\ufffd\ufffd\u0010\u001c-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdO\u001fZ\|-\ufffd\ufffdDF\b\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde\ufffd\u0015y\u001eA\ufffd&\ufffd:\u0015\ufffd\ufffdMNv\ufffd\ufffdc\b\ufffd\ufffd8\u015bc\ufffd\u0005.\u0013 \ufffd\ufffd\ufffd\ufffd\ufffd\u0010\u001c-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdO\u001fZ\|-\ufffd\ufffdDF\b\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00da\ufffd\ufffd\u24ebI\u07b3\ufffd-\u0013\ufffd \u0006\ufffd\u0019\ufffd\ufffdSGh", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde\ufffd\u0015y\u001eA\ufffd&\ufffd:\u0015\ufffd\ufffdMNv\ufffd\ufffdc\b\ufffd\ufffd8\u015bc\ufffd\u0005.\u0013 \ufffd\ufffd\ufffd\ufffd\ufffd\u0010\u001c-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdO\u001fZ\|-\ufffd\ufffdDF\b\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72298614084092da635e5be37712845094e2b058", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde\ufffd\u0015y\u001eA\ufffd&\ufffd:\u0015\ufffd\ufffdMNv\ufffd\ufffdc\b\ufffd\ufffd8\u015bc\ufffd\u0005.\u0013 \ufffd\ufffd\ufffd\ufffd\ufffd\u0010\u001c-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdO\u001fZ\|-\ufffd\ufffdDF\b\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffde\ufffdyA\ufffd&\ufffd:\ufffd\ufffdMNv\ufffd\ufffdc\ufffd\ufffd8\u015bc\ufffd. \ufffd\ufffd\ufffd\ufffd\ufffd-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdOZ\|-\ufffd\ufffdDF\ufffdu&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffde\ufffd\u0015y\u001eA\ufffd&\ufffd:\u0015\ufffd\ufffdMNv\ufffd\ufffdc\b\ufffd\ufffd8\u015bc\ufffd\u0005.\u0013 \ufffd\ufffd\ufffd\ufffd\ufffd\u0010\u001c-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdO\u001fZ\|-\ufffd\ufffdDF\b\ufffdu\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffde\ufffdyA\ufffd&\ufffd:\ufffd\ufffdMNv\ufffd\ufffdc\ufffd\ufffd8\u015bc\ufffd. \ufffd\ufffd\ufffd\ufffd\ufffd-5\ufffd\ufffdk\ufffd\u0228\ufffdA\ufffd\ufffdOZ\|-\ufffd\ufffdDF\ufffdu&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP	http	Flood / DDoS http flood · via HTTP:81 · (tentative d'exploit) · → /private.json	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private.json UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /private.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible /private.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private.json HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /private.json HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "8073fe946fe564c1da0b2d38abe09a9602bc5a79", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "cba94a1b37f4bc1c6667e76235119ed3064bd656", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.441085585159749, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 3, "anomaly_count": 0, "campaign_key": "712c4a3a7eb2a3f785d25a316829a0828959f389", "event_fingerprint": "ed374572357fb1947204dc08bc7bc8d98f47d9c8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93845ea38aa170401ed6236fe3497b34", "payload_hash": "56f43894d0242a9347a022556b584709", "path_pattern_hash": "45bc7fdb4d234c918d3617f96e56d2a9" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/private.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.json HTTP\/1.1", "request_sample": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/private.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private.json HTTP\/1.1", "request_sample": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f9bdd05f88c743e6ec222c055d495f3e96664c6", "protocol_details": { "http_method": "GET", "http_path": "\/private.json", "request_line": "GET \/private.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.json", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private.json", "request_line": "GET \/private.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:81 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private.json", "evidence_snippet": "GET \/private.json HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��2\rQF��ˣ{�ue]�Ь�(�8D"��4 ��!L�I�Z�B�?'��A�,X�� #�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��2\rQF��ˣ{�ue]�Ь�(�8D"��4 ��!L�I�Z�B�?'��A�,X�� #�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��2\rQF��ˣ{�ue]�Ь�(�8D"��4 ��!L�I�Z�B�?'��A�,X�� #�&�+�/�,�0̨̩� �� /5� w �+3&$ ��A�<��nE�g�4��n��q��C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.878541974203591, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bd3995f463792fa4a024adc4fce626f1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u00142\\rQF\ufffd\ufffd\u0016\u02e3\u000f{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4\b \ufffd\ufffd\ufffd!L\ufffdI\ufffd\u0015Z\ufffdB\ufffd?'\ufffd\u0017\u001c\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u00142\\rQF\ufffd\ufffd\u0016\u02e3\u000f{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4\b \ufffd\ufffd\ufffd!L\ufffdI\ufffd\u0015Z\ufffdB\ufffd?'\ufffd\u0017\u001c\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0006\ufffdA\ufffd<\ufffd\ufffdnE\ufffd\u0016\u0017g\ufffd4\u0000\ufffd\ufffdn\ufffd\ufffd\ufffd\ufffd\u0013\ufffdq\ufffd\ufffd\ufffdC", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u00142\\rQF\ufffd\ufffd\u0016\u02e3\u000f{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4\b \ufffd\ufffd\ufffd!L\ufffdI\ufffd\u0015Z\ufffdB\ufffd?'\ufffd\u0017\u001c\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "178c3a0dcc2bf92c504d9ccfee3b0c0bc2338106", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u00142\\rQF\ufffd\ufffd\u0016\u02e3\u000f{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4\b \ufffd\ufffd\ufffd!L\ufffdI\ufffd\u0015Z\ufffdB\ufffd?'\ufffd\u0017\u001c\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd\ufffd2\\rQF\ufffd\ufffd\u02e3{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4 \ufffd\ufffd\ufffd!L\ufffdI\ufffdZ\ufffdB\ufffd?'\ufffd\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u00142\\rQF\ufffd\ufffd\u0016\u02e3\u000f{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4\b \ufffd\ufffd\ufffd!L\ufffdI\ufffd\u0015Z\ufffdB\ufffd?'\ufffd\u0017\u001c\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd2\\rQF\ufffd\ufffd\u02e3{\ufffdue]\ufffd\u042c\ufffd(\ufffd8D\"\ufffd\ufffd\ufffd4 \ufffd\ufffd\ufffd!L\ufffdI\ufffdZ\ufffdB\ufffd?'\ufffd\ufffd\ufffdA\ufffd,X\ufffd\ufffd\ufffd\r\ufffd#\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }
15/06/2026 15:07:51 UTC	TCP	81 · HTTP ALT 81	http-alt-81	Sonde PostgreSQL postgres probe · via HTTP ALT 81:81 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-81 WAF — Recommandation Surveiller Tags net_flood tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 81 Chemin / cible — Service HTTP ALT 81 Payload ��&��F�$��l�ȗ�vo�T��!\ǆj�� \|��P�"g�� O'٦�cD��"X��_�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��&��F�$��l�ȗ�vo�T��!\ǆj�� \|��P�"g�� O'٦�cD��"X��_�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��&��F�$��l�ȗ�vo�T��!\ǆj�� \|��P�"g�� O'٦�cD��"X��_�&�+�/�,�0̨̩� �� /5� w �+3&$ �4q�v�I/`�7a�͈l�qg. ��6�֘j� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.920050433782684, "port_category": "well_known", "org": "Google LLC", "service": "http-alt-81", "app_proto": "http-alt-81", "asn": 396982, "country": "KR", "dst_port": 81, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 2, "anomaly_count": 0, "campaign_key": "202161fa5e529d82ad07242251047213c17ac292", "event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-81", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "KR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f1be5b8d9e65f3a64ffb4eb9e21f6272", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 81, "service": "http-alt-81", "service_name": "http-alt-81", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffd\u0016vo\ufffdT\u001c\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffd\u0016vo\ufffdT\u001c\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd4q\ufffdv\ufffdI\/`\ufffd7a\ufffd\u0348l\ufffdqg.\t\ufffd\u0005\ufffd6\ufffd\u0598j\ufffd\r", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffd\u0016vo\ufffdT\u001c\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e36f85bb98f5b0ad6cb0fd056db47bc4dd6e9291", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffd\u0016vo\ufffdT\u001c\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "evidence_snippet": "\ufffd\ufffd&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffdvo\ufffdT\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http-alt-81", "service_label_fr": "HTTP ALT 81", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-81", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffd\u0016vo\ufffdT\u001c\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 81, "service": "http-alt-81", "service_label_fr": "HTTP ALT 81" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 81:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd&\ufffd\ufffdF\ufffd$\ufffd\ufffdl\ufffd\u0217\ufffdvo\ufffdT\ufffd\ufffd\ufffd\ufffd!\\\u01c6j\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\|\ufffd\ufffd\ufffdP\ufffd\"g\ufffd\ufffd\t\ufffdO'\u0666\ufffdcD\ufffd\ufffd\"X\ufffd\ufffd\ufffd\ufffd_\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "81 \u00b7 HTTP ALT 81", "emulator_service": "http-alt-81", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_81", "service_banner": "honeypot-http-alt-81", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-81" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_flood", "tls_clienthello" ], "asn_dc_heuristic": true }

34.64.117.206

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence