|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
Tentative d'exploit
exploit attempt · via ELASTICSEARCH:9200 · (tentative d'exploit)
|
Élevée
|
Moyen · 53
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / Requête Elasticsearch : / UA Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/6…
Émulateur
ELASTICSEARCH
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_elasticsearch_probe
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9200
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 53
Confiance : Confiance 62 % — 3 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9200
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: *
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */*
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "690a2121ff3884b792e73e436937b8ffec5ff603",
"http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 134,
"payload_entropy": 5.154297024697998,
"port_category": "registered",
"org": "Google LLC",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 396982,
"country": "BE",
"dst_port": 9200,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "1588160a3e3161f8047fceed07bc1754ee5a47dd",
"event_fingerprint": "9fad56c821c1c5ddd2cc50fc2ca67d9c1727e39e",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 53
},
"named_classification_skipped": false,
"service_name": "elasticsearch",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f4dce294ae88e22801a172c8ef9c5026",
"payload_hash": "6fed665a03a9d08ab9fd8229554cb6f8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "070f8886f1cae2e7a494f164e0a52251687741d3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *",
"attack_vector": "exploit attempt \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d'exploit)",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via ELASTICSEARCH",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 53
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "elasticsearch",
"service_label_fr": "ELASTICSEARCH",
"dst_port": 9200,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Elasticsearch 8.11",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"attack_vector": "exploit attempt \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; rv:68.0) Gecko\/20100101 Firefox\/68.0\r\nAccept: *",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_elasticsearch_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���r�^C������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���r�^C������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���r�^C������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.659457633828443,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "44160115fa5f51381a0f97377d50b6e5",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000r\ufffd^C\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000r\ufffd^C\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000r\ufffd^C\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1c52fe44d3d51f0ad5ab360a2ab99f99697d5834",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000r\ufffd^C\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":r\ufffd^C\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000r\ufffd^C\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":r\ufffd^C\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:������7������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:������7������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:������7������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0c2f99c5272da9589f82818cd0cd7ebc",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd7\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd7\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd7\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "360491f7e2e48b7213569e8cdb9e5f9c5be985fa",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd7\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd\ufffd7\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd7\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd\ufffd7\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:�����d$������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:�����d$������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:�����d$������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.665674640437154,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "629c6a19110c80167b0f606003e7f4c9",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffdd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffdd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffdd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b652a64bc43297685be1d4d572c9cb90daaaa69d",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffdd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffdd$\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffdd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffdd$\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���r�$@������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���r�$@������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���r�$@������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.659457633828443,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bf089461f6c035f73fd031a1be840742",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000r\u0005$@\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000r\u0005$@\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000r\u0005$@\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6660d2baeea4d0ed0a3cf751844bc040c9af2652",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000r\u0005$@\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":r$@\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000r\u0005$@\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":r$@\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����f��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����f��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����f��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.673605293289617,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f112e49c4e72bc4fd77e169e2e9e1c10",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdf\ufffd\u0019\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdf\ufffd\u0019\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdf\ufffd\u0019\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a90ba1ec32ae83130626cb79f07f6ed9a0803f3e",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdf\ufffd\u0019\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdf\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdf\ufffd\u0019\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdf\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:������������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:������������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:������������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0e0d0d07e7db573b1ef9e19aa009dc17",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ed0c1670ced967c1f8941b13d096c8aaeefbf3b9",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����f>������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����f>������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����f>������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.673605293289617,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "73e6ffad1a06ab16d58e962a826d41e4",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdf>\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdf>\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdf>\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bf75cf3373f15032574be3cc05c758da27685983",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdf>\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdf>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdf>\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdf>\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����yub������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����yub������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����yub������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6541789701364005,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8b11c50567f9faaaf55bd691f5f563c5",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdyub\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdyub\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdyub\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51b7668bb2ac02463d2dcae27cd3480433d5157f",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdyub\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdyub\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdyub\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdyub\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����>S�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����>S�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����>S�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "80674adbfe27345bdf28815c058de3b4",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd>S\u0013\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd>S\u0013\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd>S\u0013\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "445424b1f042f730642346095b54c23811aa58b6",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd>S\u0013\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd>S\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd>S\u0013\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd>S\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 2,
"behavior_priority": 72
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����s�$������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����s�$������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����s�$������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6621606179920585,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "24e4a6b5a1d1348a696cd4cc87f95e3c",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffds\ufffd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffds\ufffd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffds\ufffd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a67f20669fae1b99ee04d4667078c62560937638",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffds\ufffd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffds\ufffd$\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffds\ufffd$\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffds\ufffd$\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���� �t������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����
�t������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���� �t������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.666564163667069,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ddcdedc511e45aaef5dfa175399e67bd",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\r\u000et\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\r\u000et\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\r\u000et\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eb94eccae93690aa4fe9432ef329fdfa0294e5bc",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\r\u000et\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\rt\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\r\u000et\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\rt\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����4�l������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����4�l������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����4�l������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.661184482684871,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bf111458c8a9d88b6ee50c92a13cc65c",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd4\ufffdl\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd4\ufffdl\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd4\ufffdl\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2107b188d2ca93e7c3b0d3b9490abfcdae03f8c5",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd4\ufffdl\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd4\ufffdl\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd4\ufffdl\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd4\ufffdl\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���9�)}������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���9�)}������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���9�)}������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fce8f01a9c5fb234769da941880ae79f",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u00009\ufffd)}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u00009\ufffd)}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u00009\ufffd)}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0e8348b3001c8934b80574e22d2505c2bdd195f0",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u00009\ufffd)}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":9\ufffd)}\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u00009\ufffd)}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":9\ufffd)}\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:������:������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:������:������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:������:������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9abff7809e388bbdd1ce0c9615e37d58",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd:\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd:\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd:\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3e04a37cb259207c2712f9272de809713743c734",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd:\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd\ufffd:\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd:\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd\ufffd:\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���T�^K������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���T�^K������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���T�^K������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ff73311c70b7f21c31c2d5fcb5329e58",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000T\ufffd^K\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000T\ufffd^K\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000T\ufffd^K\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b169e12b4a901a2ef28d477dd790d3f7cab9da76",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000T\ufffd^K\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":T\ufffd^K\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000T\ufffd^K\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":T\ufffd^K\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:������ ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:�������������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:������ ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "27c7237a14d37cbff7b7d69c54fe07f0",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3ba5ad4fff81a6cf23ab2ac2b4b1f94b53808dce",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\ufffd\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����`�S������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����`�S������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����`�S������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a88b3c9b2ad734faed3a13eeedc8d21b",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd`\ufffdS\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd`\ufffdS\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd`\ufffdS\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ca98e9c339299ed497c897226340c6921683765f",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd`\ufffdS\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd`\ufffdS\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd`\ufffdS\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd`\ufffdS\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���k3;G������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���k3;G������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���k3;G������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.662109622988862,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d2b5766b09dfa7ec011a4dc5ef0ebb72",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000k3;G\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000k3;G\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000k3;G\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4c62e6221cb602935908c304045aba0beef10ca7",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000k3;G\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":k3;G\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000k3;G\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":k3;G\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����� }������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����� }������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����� }������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0626330e60684e0f5e30a785205b7059",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\t}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd\t}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\t}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "959e3e9326da4439bd7ff162c6f18630ff8b0cc6",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\t}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd\t}\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\t}\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd\t}\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���Ī�B������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���Ī�B������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���Ī�B������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "59c7580c013ab0fe9eca700fdd30cd61",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u012a\ufffdB\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u012a\ufffdB\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u012a\ufffdB\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2c6182c7069acd2d0aae1b014e6b21d67fcbd17",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u012a\ufffdB\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\u012a\ufffdB\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u012a\ufffdB\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\u012a\ufffdB\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:������f������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:������f������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:������f������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.673605293289617,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "028d74011763fce15ebe9476c0368ba6",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\u001df\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd\u001df\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd\u001df\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5fad691baaa6592f561233ea12c5f05cc41f7a07",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\u001df\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffdf\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd\u001df\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffdf\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���*��X������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���*��X������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���*��X������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.670883150065817,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "da489ead72c08d16b1c35f1096535478",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000*\ufffd\ufffdX\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000*\ufffd\ufffdX\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000*\ufffd\ufffdX\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e1f664548270fab998b7a007e72d894e84943603",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000*\ufffd\ufffdX\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":*\ufffd\ufffdX\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000*\ufffd\ufffdX\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":*\ufffd\ufffdX\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���^hf+������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���^hf+������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���^hf+������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.65574019623727,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "eadefbe6702e37a0fa4cefb095b530f4",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000^hf+\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000^hf+\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000^hf+\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c9051a3cae858b5d05d4aca00dbc07f84c4024b7",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000^hf+\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":^hf+\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000^hf+\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":^hf+\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���2��N������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���2��N������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���2��N������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6720440671887475,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "30536b9726bef7eeffe9ae94846a6ec4",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u00002\ufffd\u001dN\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u00002\ufffd\u001dN\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u00002\ufffd\u001dN\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8defc149fe59bc755768be4e952e54783fe214f7",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u00002\ufffd\u001dN\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":2\ufffdN\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u00002\ufffd\u001dN\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":2\ufffdN\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����7! ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����7!�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����7! ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "41cb8c7e7b42cab87d8f0b3ff68939fb",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd7!\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd7!\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd7!\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3bea427c81162550b593edd8f522072fda24ec43",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd7!\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd7!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd7!\f\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd7!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����!'I������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����!'I������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����!'I������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "edc434b058b886db3c7f961f66365f18",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd!'I\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd!'I\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd!'I\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c0d1c7cd7f59f13255d854646391d11ca20741be",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd!'I\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd!'I\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd!'I\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd!'I\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����D� ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����D��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����D� ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a0d4c3b685b7a7a4f8b0635bbd6ce46c",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdD\ufffd\u000b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdD\ufffd\u000b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdD\ufffd\u000b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8a7dbcc5d876bccac92c3515c3e93498b9cc5cb5",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdD\ufffd\u000b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdD\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdD\ufffd\u000b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdD\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���J�3.������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���J�3.������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���J�3.������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.655946984664884,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f080700668f324fc6babf0c67d765ac6",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000J\ufffd3.\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000J\ufffd3.\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000J\ufffd3.\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f9d3cc65acaef836c41e69bf0c5b4f1901a1712e",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000J\ufffd3.\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":J\ufffd3.\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000J\ufffd3.\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":J\ufffd3.\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:�����tj������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:�����tj������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:�����tj������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.666564163667069,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4a68763acd18915a46c6783999f187ef",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffdtj\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffdtj\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffdtj\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e958321c5d6be5ac42f08dad7691b7d9bf92bfcf",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffdtj\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffdtj\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffdtj\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffdtj\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���S�]5������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���S�]5������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���S�]5������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0a7539333008c8eed8a1289c256e2505",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000S\ufffd]5\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000S\ufffd]5\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000S\ufffd]5\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c4852f4dbf07b53897bbf0f0af124d6cfdadb126",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000S\ufffd]5\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":S\ufffd]5\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000S\ufffd]5\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":S\ufffd]5\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:������*������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:������*������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:������*������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "36f928fe59da9b504d511f620cbfe45d",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u0019\ufffd\ufffd*\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u0019\ufffd\ufffd*\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u0019\ufffd\ufffd*\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c8a0f9bd102d4b3dcd07b24b9e75d85127b0503a",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u0019\ufffd\ufffd*\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd*\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u0019\ufffd\ufffd*\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd*\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����(Q ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����(Q ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����(Q ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "93c93fc7b1faf1abef1f8f4a56d559ec",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd(Q\t\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd(Q\t\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd(Q\t\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d6dcdfa4efbc35f0356048a868639223d64e12a1",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd(Q\t\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd(Q\t\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd(Q\t\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd(Q\t\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����Q!,������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����Q!,������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����Q!,������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "80c12dd457697b5ac33a3dae35c152cb",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdQ!,\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdQ!,\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdQ!,\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "78b3db46c2a644e8e29bbbf4b5c187ff62c84880",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdQ!,\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdQ!,\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdQ!,\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdQ!,\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����i�;������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����i�;������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����i�;������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.666564163667069,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3e5bf9c240a394d1c29bacbafd2d59d5",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdi\ufffd;\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdi\ufffd;\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdi\ufffd;\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b21d411ce36c6febab64042639b977841ba8bdaf",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdi\ufffd;\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdi\ufffd;\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdi\ufffd;\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdi\ufffd;\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���A��r������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���A��r������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���A��r������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6658270605800345,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "92a0e342874740f0558f4e2723597300",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000A\ufffd\ufffdr\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000A\ufffd\ufffdr\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000A\ufffd\ufffdr\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6dff2d635491416fd24a1d1242aebb3a07872c85",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000A\ufffd\ufffdr\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":A\ufffd\ufffdr\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000A\ufffd\ufffdr\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":A\ufffd\ufffdr\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����][�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����][�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����][�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2460850804418d62f576beafe14ec82c",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u0018][\u0005\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u0018][\u0005\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u0018][\u0005\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5cf9cac73c416d814fc00e93144d438503362e2f",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u0018][\u0005\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":][\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u0018][\u0005\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":][\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:�����6�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:�����6�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:�����6�������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.670883150065816,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "efbaf51071a3d29f665a3177b69cd6c9",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd6\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\ufffd6\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\ufffd6\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "59749603a40d8c42e8b067c7caf5dc2bcc697ef6",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd6\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\ufffd6\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\ufffd6\u001b\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\ufffd6\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���@��!������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���@��!������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���@��!������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "65ccd0353335a12b044961a1d42d9d5b",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000@\ufffd\ufffd!\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000@\ufffd\ufffd!\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000@\ufffd\ufffd!\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "932e9631b2557a475f8974287a00de35a95be6fe",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000@\ufffd\ufffd!\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":@\ufffd\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000@\ufffd\ufffd!\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":@\ufffd\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:�����GF������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:�����GF������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:�����GF������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6760093936149785,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "48956f9b6d44e457745a1984500f9dae",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u001a\u0013GF\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u001a\u0013GF\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u001a\u0013GF\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dbe73769a08065e9b12a70afb20ac25f75fce2be",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u001a\u0013GF\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":GF\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u001a\u0013GF\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":GF\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���E*}/������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���E*}/������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���E*}/������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0e9cd9f2f24cf4bcb6018ebf74732a7b",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000E*}\/\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000E*}\/\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000E*}\/\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eefaee34e8e9e9a4ce1a8adbdc203ee314a3f37d",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000E*}\/\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":E*}\/\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000E*}\/\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":E*}\/\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���w��6������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���w��6������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���w��6������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.670883150065816,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dea9d59bc8cf35edd416d2772db1d2a5",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000w\ufffd\ufffd6\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000w\ufffd\ufffd6\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000w\ufffd\ufffd6\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2f990db3eb52940c1b33a1a56b6222e558d3518",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000w\ufffd\ufffd6\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":w\ufffd\ufffd6\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000w\ufffd\ufffd6\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":w\ufffd\ufffd6\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���ؚ�w������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���ؚ�w������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���ؚ�w������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2e106efce657e6b79aeff7de082beda5",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u061a\ufffdw\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u061a\ufffdw\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u061a\ufffdw\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd878f5cbf91d10e7fc68b8e5f47e6a40d4cc8b7",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u061a\ufffdw\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\u061a\ufffdw\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u061a\ufffdw\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\u061a\ufffdw\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:���hj|X������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:���hj|X������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:���hj|X������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.664513723314223,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2aa0a5b23b633783c38bb7af8982fb24",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000hj|X\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000hj|X\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000hj|X\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "08653e6b26db678a06cca8cc132e61f283c338c9",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000hj|X\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":hj|X\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000hj|X\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":hj|X\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_mongodb_wire_protocol
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����D G������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����D
G������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����D G������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b4f5d9d16aea17262e205e237bf9ad2a7cb165e0",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "266167a70b85aa80aec81b4824e03859",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u000fD\rG\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u000fD\rG\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u000fD\rG\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6e01429df594f7531ceae4091cb89aae7c2fa5ca",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u000fD\rG\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":D\rG\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u000fD\rG\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":D\rG\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_bruteforce_burst
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����+T ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����+T
������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����+T ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.669639966863385,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "c4ac3118d7473e99ee83d670158aed2aa3dc390c",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "12b2c6f94e6923b9423a62ffb4711f65",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd+T\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd+T\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd+T\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c76be549398d8afbf9926f1612128e6e20dd163e",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd+T\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd+T\r\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd+T\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd+T\r\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_bruteforce_burst",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_mongodb_wire_protocol
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����}��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����}��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����}��������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b4f5d9d16aea17262e205e237bf9ad2a7cb165e0",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dc43a00e8beac13ac6716a950e83d70d",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\u001e}\ufffd\u001c\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\u001e}\ufffd\u001c\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\u001e}\ufffd\u001c\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4a8aee9c104317f66d0d05580273f853aee46fa5",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u001e}\ufffd\u001c\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":}\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\u001e}\ufffd\u001c\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":}\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_mongodb_wire_protocol
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����m�9������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����m�9������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����m�9������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.669188662882251,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b4f5d9d16aea17262e205e237bf9ad2a7cb165e0",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "971514ad680a79981f6e201d225ff29c",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffdm\ufffd9\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffdm\ufffd9\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffdm\ufffd9\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d8bd24aec8eb5d322825a0de64dcf7adcdd6aa3f",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdm\ufffd9\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdm\ufffd9\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffdm\ufffd9\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdm\ufffd9\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_mongodb_wire_protocol
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:����ί ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:����ί
������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:����ί ������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.68237882036657,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b4f5d9d16aea17262e205e237bf9ad2a7cb165e0",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2abd8641b4356fb0962b60971e4958c2",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\u03af\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\u03af\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\u03af\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6ea2e0bf65a6d7b53da5a071f6f3c3ac3ab10f59",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\u03af\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffd\u03af\r\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\u03af\r\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffd\u03af\r\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27017 · MONGODB
|
mongodb
|
Protocole wire MongoDB
mongodb wire protocol · via MONGODB:27017 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
MONGODB
WAF
—
Recommandation
Surveiller
Tags
mongodb_emulated
mongodb_hello_probe
mongodb_wire_protocol
net_mongodb_wire_protocol
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27017
Chemin / cible
—
Service
MONGODB
Payload
:�����rV������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
ET-PROTO-MongoDB-Wire
pat-0363
pat-0364
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
:�����rV������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name�
���PyMongo|c��version�����4.13
Requête brute (extrait)
:�����rV������������admin.$cmd��������������ismaster������helloOk���client������driver�-����name� ���PyMongo|c��version�����4.13.2���os�T����type�����Linux��name�����Linux��architecture�����x86_64��version� ���6.12.68+���platform�����CPython 3.13.3.final.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 314,
"payload_entropy": 4.6658270605800345,
"port_category": "registered",
"org": "Google LLC",
"service": "mongodb",
"app_proto": "mongodb",
"asn": 396982,
"country": "BE",
"dst_port": 27017,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b4f5d9d16aea17262e205e237bf9ad2a7cb165e0",
"event_fingerprint": "3d0cef10d983b0efd34b4cdcc0b7c5f8287f4783",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 206,
"precision_signals": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"kb_rule_ids": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "mongodb",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "af21c1e4c4ac814a25493c6847293f49",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 27017,
"service": "mongodb",
"service_name": "mongodb",
"risk_score": 38
},
"payload_snippet": ":\u0001\u0000\u0000\ufffd\u0005rV\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"evidence": {
"request_sample": ":\u0001\u0000\u0000\ufffd\u0005rV\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13.2\u0000\u0000\u0003os\u0000T\u0000\u0000\u0000\u0002type\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002name\u0000\u0006\u0000\u0000\u0000Linux\u0000\u0002architecture\u0000\u0007\u0000\u0000\u0000x86_64\u0000\u0002version\u0000\t\u0000\u0000\u00006.12.68+\u0000\u0000\u0002platform\u0000\u0017\u0000\u0000\u0000CPython 3.13.3.final.0",
"payload_snippet": ":\u0001\u0000\u0000\ufffd\u0005rV\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "faad0e355e22daad86bdb8e7fcd9db4b83d48eb0",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\u0005rV\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"evidence_snippet": ":\ufffdrV\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 25,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "mongodb",
"service_label_fr": "MONGODB",
"dst_port": 27017,
"protocol_emulated": true,
"tags_summary": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"INT-upstream"
],
"tags_summary_labels_fr": [
"ET-PROTO-MongoDB-Wire",
"pat-0363",
"pat-0364",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": ":\u0001\u0000\u0000\ufffd\u0005rV\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0013\u0001\u0000\u0000\u0010ismaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u0000-\u0000\u0000\u0000\u0002name\u0000\n\u0000\u0000\u0000PyMongo|c\u0000\u0002version\u0000\u0007\u0000\u0000\u00004.13",
"port": 27017,
"service": "mongodb",
"service_label_fr": "MONGODB"
},
"attack_vector": "mongodb wire protocol \u00b7 via MONGODB:27017 \u00b7 (sonde \/ probe)",
"evidence_snippet": ":\ufffdrV\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdismasterhelloOkclient\ufffddriver-name\nPyMongo|cversion4.13",
"target_port_label": "27017 \u00b7 MONGODB",
"emulator_service": "mongodb",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb",
"service_banner": "honeypot-mongodb",
"service_os": "linux",
"dst_port": "27017"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_emulated",
"mongodb_hello_probe",
"mongodb_wire_protocol",
"net_mongodb_wire_protocol",
"rdp_cookie_alt"
],
"asn_dc_heuristic": true
}
|