Renseignement sur les menaces

Belgique

34.78.120.132

FAI Google LLC Première vue 17/06/2026 09:46 UTC Dernière vue 20/06/2026 09:23 UTC Risque Moyen

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte · risque 38/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 45/100 Moyen

Première observation 17/06/2026 09:46 UTC

Dernière observation 20/06/2026 09:23 UTC

Événements (période) 93

MITRE ATT&CK principal TA0007 75 occurrences

Activité suspecte · risque 38/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_7011_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 32 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.78.112.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 93 événements sur la période pour cette IP.

162.216.150.43 Sonde PostgreSQL 20/06/2026 09:30 UTC
35.203.211.53 Scanner web 20/06/2026 09:30 UTC
198.235.24.125 epmd 20/06/2026 09:29 UTC
162.216.150.160 Sonde PostgreSQL 20/06/2026 09:26 UTC
35.187.13.22 Sonde port 3155/TCP 20/06/2026 09:25 UTC
34.77.191.38 Sonde port 12166/TCP 20/06/2026 09:25 UTC
34.14.21.193 Sonde port 9156/TCP 20/06/2026 09:24 UTC
147.185.133.62 Sonde PostgreSQL 20/06/2026 09:24 UTC

Événements (filtres)

Première observation

17/06/2026 09:46 UTC

Dernière observation

20/06/2026 09:23 UTC

Dernière activité (filtres)

20/06/2026 09:24 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 86 DOCKER TLS TCP 2 K8S API TCP 1 WINRM TCP 1 COUCHDB TCP 1 ELASTICSEARCH TRANSPORT ALT TCP 1

HTTP

DOCKER TLS

K8S API

WINRM

COUCHDB

ELASTICSEARCH TRANSPORT ALT

Géolocalisation

Origine réseau déclarée

Belgique unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 9550 port_9550_tcp

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

port 7011 tcp · via HTTP:7011 · (sonde / probe)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: python-requests/2.32.5

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:7011 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connecti

Port / service

7011 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

55%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

93 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

93 événement(s) — page 2/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 12:16:51 UTC	TCP	8086 · HTTP	http	Sonde port 8086/TCP port 8086 tcp · via HTTP:8086 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible / Preuve honeypot — Sonde port 8086/TCP Connexion détectée sur le port 8086 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8086_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8086 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8086 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "dca14bd323afb7abea7bafa539fc0b23ad09cfc0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.116248125028156, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8086, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "8da6963188e06e54085abc609e8aa105c2a076f6", "event_fingerprint": "ee5c2d229bc0f37136f76f79dd0cd8dc0ea79d1a", "classification_reason": "Type \u00ab port_8086_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5a7173409cb4facf2cb99fd7e94d2364", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8086_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b6586e7899e840e6a100b83a9d076a1f473c534", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8086, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8086 tcp \u00b7 via HTTP:8086 \u00b7 (sonde \/ probe)", "target_port_label": "8086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8086_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8086_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8086, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8086, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8086 tcp \u00b7 via HTTP:8086 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8086\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "winrm" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:14:14 UTC	TCP	5985 · WINRM	winrm	Sonde WinRM winrm probe · via WINRM:5985 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur WINRM WAF — Recommandation Surveiller Tags http_get_probe net_winrm_probe winrm_emulated winrm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5985 Chemin / cible — Service WINRM Payload GET / HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Pourquoi cette classification : Type « winrm_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e312034303120556e617574686f72697a65640d0a5757572d41757468656e7469636174653a204e65676f74696174650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a", "emulator_response_len": 77, "bytes_in": 146, "payload_entropy": 5.116248125028156, "port_category": "registered", "org": "Google LLC", "service": "winrm", "app_proto": "winrm", "asn": 396982, "country": "BE", "dst_port": 5985, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 46, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 46, "novelty": 15 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "517cc1b4bef40760fee9c1649c6c0bb752cac87d", "event_fingerprint": "69c3741eda286def0bdd9c17863648ff58bc3b2f", "classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 46, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "winrm", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6bb9e2f81b05f3ea229ed6187da5ea9f", "path_pattern_hash": "a98d2328dfdc853a4ac94ea7611b67e5" }, "target_context": { "dst_port": 5985, "service": "winrm", "service_name": "winrm", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4dcbcac39bfc2008025670a48809ce851153a7d3", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 5985, "service": "winrm", "service_label_fr": "WINRM" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "winrm probe \u00b7 via WINRM:5985 \u00b7 (sonde \/ probe)", "target_port_label": "5985 \u00b7 WINRM", "emulator_service": "winrm", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 46, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "winrm", "service_label_fr": "WINRM", "dst_port": 5985, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-winrm", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 5985, "service": "winrm", "service_label_fr": "WINRM" }, "attack_vector": "winrm probe \u00b7 via WINRM:5985 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5985 \u00b7 WINRM", "emulator_service": "winrm", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "winrm", "service_banner": "honeypot-winrm", "service_os": "linux", "dst_port": "5985" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "winrm" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_winrm_probe", "winrm_emulated", "winrm_payload" ], "asn_dc_heuristic": true }
17/06/2026 12:13:44 UTC	TCP	16002 · HTTP	http	Sonde port 16002/TCP port 16002 tcp · via HTTP:16002 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16002 Chemin / cible / Preuve honeypot — Sonde port 16002/TCP Connexion détectée sur le port 16002 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16002_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16002 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16002 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "fd0b5114ea3caa710d60c387ad2acc0d42e43ab8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.094250257458573, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16002, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "30dd3f22754a5b1b2c8a8880b0120b6f8f8eea9a", "event_fingerprint": "1480b0ebd4dcd80a9422ad638909c53697100f75", "classification_reason": "Type \u00ab port_16002_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "33f4e79919427e60846ceb5d9b37a64e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16002, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16002_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ded0a7fc9e48ee39ae51ba40e5e4e8e17e6bb25", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16002, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16002 tcp \u00b7 via HTTP:16002 \u00b7 (sonde \/ probe)", "target_port_label": "16002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16002_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16002_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16002, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16002, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16002 tcp \u00b7 via HTTP:16002 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16002\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16002 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:07:50 UTC	TCP	11434 · HTTP	http	Scan de ports port scan syn · via HTTP:11434 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11434 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11434 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11434 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "0edcf6ab7022a3c1a90b1ad0670bd95a56782eca", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.102041053565556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 11434, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 44, "tag_count": 5, "anomaly_count": 1, "campaign_key": "b0157be0baca064e776b5b6bdd864e952ca90825", "event_fingerprint": "d5e0a124b6c8c88b138ac370b20015015eca08b8", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "1ae0550ea4df6d39ff90714712738261", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 11434, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7bd4bc230fe62b1dab5479347685e8925b8bb7d7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 11434, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:11434 \u00b7 (reconnaissance)", "target_port_label": "11434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 44 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11434, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 11434, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:11434 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "11434 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11434" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:07:30 UTC	TCP	9186 · HTTP	http	Sonde port 9186/TCP port 9186 tcp · via HTTP:9186 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9186 Chemin / cible / Preuve honeypot — Sonde port 9186/TCP Connexion détectée sur le port 9186 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9186_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9186 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9186 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a5d6923a6cdebc39eeb14d77b93aad0b6893cf46", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9186, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "aa8b9fcd205f1c38f0c361492ebd3fc026c4d48f", "event_fingerprint": "c1fc7929f4845f88c5f129990326c82ed68feb4b", "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "524b32e88c7754781369a1b7fb3412d9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9186, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e23a206082640d6b7f464453d1fb312a1e70f8e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9186 tcp \u00b7 via HTTP:9186 \u00b7 (sonde \/ probe)", "target_port_label": "9186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9186, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9186 tcp \u00b7 via HTTP:9186 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:07:03 UTC	TCP	7011 · HTTP	http	Sonde port 7011/TCP port 7011 tcp · via HTTP:7011 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7011 Chemin / cible / Preuve honeypot — Sonde port 7011/TCP Connexion détectée sur le port 7011 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_7011_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7011 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7011 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f28abb74372501b3a2564f48990239926e1962f9", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 7011, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "ae926abd682cd886044e24f99c0e9d6976b594d2", "event_fingerprint": "7092ed1cce60d766fd6aceb4ebef2059084eb936", "classification_reason": "Type \u00ab port_7011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "42002e2185c01407d49b545992617fda", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7011, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_7011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea2f20d55524a668da6fc1309a3ededcd69075fb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7011, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 7011 tcp \u00b7 via HTTP:7011 \u00b7 (sonde \/ probe)", "target_port_label": "7011 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_7011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_7011_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7011, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7011, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 7011 tcp \u00b7 via HTTP:7011 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7011\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "7011 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7011" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:04:14 UTC	TCP	9189 · HTTP	http	Sonde port 9189/TCP port 9189 tcp · via HTTP:9189 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9189 Chemin / cible / Preuve honeypot — Sonde port 9189/TCP Connexion détectée sur le port 9189 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9189_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9189 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9189 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d90a81b9e4278e0ed1a7467ab002b00fc352f6b2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9189, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "ff374bac0d1b1ba662c064a1f1bf6921999c6e44", "event_fingerprint": "8fb5926986f4c1e8753eb9029cfad3dcc64ed787", "classification_reason": "Type \u00ab port_9189_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "371733bdac400578a260726df53bc6d8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9189, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9189_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4f20586c810930ee397451d00914ec0764f8b992", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9189, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9189 tcp \u00b7 via HTTP:9189 \u00b7 (sonde \/ probe)", "target_port_label": "9189 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9189_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9189_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9189, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9189, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9189 tcp \u00b7 via HTTP:9189 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9189\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9189 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9189" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:02:26 UTC	TCP	9159 · HTTP	http	Sonde port 9159/TCP port 9159 tcp · via HTTP:9159 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9159 Chemin / cible / Preuve honeypot — Sonde port 9159/TCP Connexion détectée sur le port 9159 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9159_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9159 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9159 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f3e9de7eba05ada9b0f44bf35aba79d54ddee4a6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.105907200340986, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9159, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "48236b59456e603acce4702dfd396c259bb76b43", "event_fingerprint": "ab714a731737aaf0296b2bd6dd1a7d95695d5a5a", "classification_reason": "Type \u00ab port_9159_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c5581234c6c500a5ed2eaa84268cd226", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9159, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9159_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "846cab5b60018c58cd667ce51a09415619328e3c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9159, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9159 tcp \u00b7 via HTTP:9159 \u00b7 (sonde \/ probe)", "target_port_label": "9159 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9159_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9159_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9159, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9159, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9159 tcp \u00b7 via HTTP:9159 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9159\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9159 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9159" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:02:18 UTC	TCP	9183 · HTTP	http	Sonde port 9183/TCP port 9183 tcp · via HTTP:9183 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9183 Chemin / cible / Preuve honeypot — Sonde port 9183/TCP Connexion détectée sur le port 9183 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9183_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9183 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9183 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "76df07b5ba908646d348211ff03805a18664815c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.113751358065142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9183, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "957de45a7c5185e4816286e196fc7fcd3b588835", "event_fingerprint": "4755f8db25612a9a92294e5405162a0973ad3fa5", "classification_reason": "Type \u00ab port_9183_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "a970ff7c4b05a656219447dbeb0c5696", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9183, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9183_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f58eaed76ebcc2cd5ab3994135725c1411a3f946", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9183, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9183 tcp \u00b7 via HTTP:9183 \u00b7 (sonde \/ probe)", "target_port_label": "9183 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9183_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9183_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9183, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9183, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9183 tcp \u00b7 via HTTP:9183 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9183 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9183" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
17/06/2026 12:00:56 UTC	TCP	21290 · HTTP	http	Sonde port 21290/TCP port 21290 tcp · via HTTP:21290 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21290 Chemin / cible / Preuve honeypot — Sonde port 21290/TCP Connexion détectée sur le port 21290 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_21290_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21290 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21290 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "14b15118ef96f0e8cc3cd408a329b27c9651b27a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.102041053565556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 21290, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "23ea07a14e894bf12eeada3da0ed77c97ea2111a", "event_fingerprint": "cc063259c80e18b9d698eed4bd7f0bcc0ca1a713", "classification_reason": "Type \u00ab port_21290_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "9ce55705bef020913f44cdb5bfc372d4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 21290, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_21290_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e98243797c32473d45e5226570c4ce6d7704a936", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 21290 tcp \u00b7 via HTTP:21290 \u00b7 (sonde \/ probe)", "target_port_label": "21290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21290_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21290_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21290, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 21290 tcp \u00b7 via HTTP:21290 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21290\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "21290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 12:00:36 UTC	TCP	16404 · HTTP	http	Sonde port 16404/TCP port 16404 tcp · via HTTP:16404 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16404 Chemin / cible / Preuve honeypot — Sonde port 16404/TCP Connexion détectée sur le port 16404 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16404_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16404 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16404 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "127701da243c959897062d8032a66c4ac7543ab6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.121461141812316, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16404, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "89b871183bf5f6bc2b39ebbc6bf1f1fd254415bc", "event_fingerprint": "a1ea69d7f3a82f188dd7d973bca1d0c711fcbef8", "classification_reason": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "431dcdedfa4b98a92943d7c834938168", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16404, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97ccc6b94ee3114299a81b3dff787267acaa54a3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16404, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16404 tcp \u00b7 via HTTP:16404 \u00b7 (sonde \/ probe)", "target_port_label": "16404 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16404_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16404, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16404, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16404 tcp \u00b7 via HTTP:16404 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16404\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16404 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16404" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:59:39 UTC	TCP	2259 · HTTP	http	Sonde port 2259/TCP port 2259 tcp · via HTTP:2259 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2259 Chemin / cible / Preuve honeypot — Sonde port 2259/TCP Connexion détectée sur le port 2259 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2259_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2259 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2259 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "740c1bdc46872b27eb1f92c51faa751f2989481e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.091524560134753, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2259, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e2bb292a1fd9bdce7f505e929e03edc71890332f", "event_fingerprint": "e3a89cb78a822ee5dfc358e381aec691b1fa5992", "classification_reason": "Type \u00ab port_2259_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c585d4d975c08ce26653cc788803791d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2259, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2259_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e83fe865f656924c851d2a5214b91c44760691f3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2259, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2259 tcp \u00b7 via HTTP:2259 \u00b7 (sonde \/ probe)", "target_port_label": "2259 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2259_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2259_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2259, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2259, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2259 tcp \u00b7 via HTTP:2259 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2259\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2259 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2259" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:58:58 UTC	TCP	12220 · HTTP	http	Sonde port 12220/TCP port 12220 tcp · via HTTP:12220 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12220 Chemin / cible / Preuve honeypot — Sonde port 12220/TCP Connexion détectée sur le port 12220 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12220_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12220 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12220 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "fb056462e1484fd09c0f2f2d5245ab8b30390ef6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.075509526151339, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12220, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e7c5f8362dbc03588e72220de3039d80c4920c94", "event_fingerprint": "04efd8f493a96e445f8dc8a84239de989114020b", "classification_reason": "Type \u00ab port_12220_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "57d4142f21e13e4ba0a16759d57e38e7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12220, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12220_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9438e9a41b80f7db664707bd1f87f9c3c9ef1a9b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12220, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12220 tcp \u00b7 via HTTP:12220 \u00b7 (sonde \/ probe)", "target_port_label": "12220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12220_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12220_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12220, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12220, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12220 tcp \u00b7 via HTTP:12220 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12220\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12220 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12220" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:57:11 UTC	TCP	9207 · HTTP	http	Sonde port 9207/TCP port 9207 tcp · via HTTP:9207 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9207 Chemin / cible / Preuve honeypot — Sonde port 9207/TCP Connexion détectée sur le port 9207 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9207_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9207 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9207 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "7be3a6ec131dfc19cf07072c92659622863ec3bc", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9207, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "cfdc503915cc38eff8a1f5bfee1bdecd89225b74", "event_fingerprint": "c3e631cba0b1101cc32c821b12b07cf2058f0274", "classification_reason": "Type \u00ab port_9207_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "12dd8e105932968440ae40cedcddba29", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9207, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9207_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eeb507e77ae7d8a5813fd16b28076aceb6a6263c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9207, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9207 tcp \u00b7 via HTTP:9207 \u00b7 (sonde \/ probe)", "target_port_label": "9207 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9207_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9207_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9207, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9207, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9207 tcp \u00b7 via HTTP:9207 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9207\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9207 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9207" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:55:42 UTC	TCP	1650 · HTTP	http	Sonde port 1650/TCP port 1650 tcp · via HTTP:1650 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1650 Chemin / cible / Preuve honeypot — Sonde port 1650/TCP Connexion détectée sur le port 1650 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_1650_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1650 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1650 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "78604e1bb778b81b1ec8f20295d10fcbbd07acec", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.092208570204, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 1650, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "d14eebd2cbd907dfd9329b7631d6e643c59cb0ba", "event_fingerprint": "e2b7bbaade898493235a426dad5f2165479ef91f", "classification_reason": "Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cd8ed7cac017edbdeeb072bcbbee4afd", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1650, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c7e118c342de823870d097e2c0bd619f08c79de5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1650, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 1650 tcp \u00b7 via HTTP:1650 \u00b7 (sonde \/ probe)", "target_port_label": "1650 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_1650_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1650, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1650, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 1650 tcp \u00b7 via HTTP:1650 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1650\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "1650 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1650" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:54:32 UTC	TCP	16099 · HTTP	http	Sonde port 16099/TCP port 16099 tcp · via HTTP:16099 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16099 Chemin / cible / Preuve honeypot — Sonde port 16099/TCP Connexion détectée sur le port 16099 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16099_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16099 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16099 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "168a6380206e068c4e004b58bf2e9a41c0ab9f70", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.121461141812316, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16099, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "72a3dbdb4e42502d4212fc92ca078666833f6840", "event_fingerprint": "ea9c93dab4a8670c175bb7e4e15782033f6a86f2", "classification_reason": "Type \u00ab port_16099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c4d8ae46b26425041e7fefb47c1d489e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16099, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ffd00b87846ff70fca678229336279a64a7d552b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16099, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16099 tcp \u00b7 via HTTP:16099 \u00b7 (sonde \/ probe)", "target_port_label": "16099 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16099_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16099, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16099, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16099 tcp \u00b7 via HTTP:16099 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16099\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16099 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16099" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:53:50 UTC	TCP	21295 · HTTP	http	Sonde port 21295/TCP port 21295 tcp · via HTTP:21295 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21295 Chemin / cible / Preuve honeypot — Sonde port 21295/TCP Connexion détectée sur le port 21295 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_21295_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21295 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21295 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "dbce70e99d0886abaa2f35d49652c82b2bc592ac", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.096905764435193, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 21295, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "cc431bd8f6140512191ee57455cb2260e37b9afc", "event_fingerprint": "468b331a15adaebcd276811371bd40171b30f678", "classification_reason": "Type \u00ab port_21295_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "8a019b8374008875cb51acc097e926e3", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 21295, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_21295_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "24e09f99d80c5202e691659a21318f136fc3296a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21295, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 21295 tcp \u00b7 via HTTP:21295 \u00b7 (sonde \/ probe)", "target_port_label": "21295 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21295_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21295_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21295, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21295, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 21295 tcp \u00b7 via HTTP:21295 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21295\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "21295 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21295" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:52:05 UTC	TCP	15040 · HTTP	http	Sonde port 15040/TCP port 15040 tcp · via HTTP:15040 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 15040 Chemin / cible / Preuve honeypot — Sonde port 15040/TCP Connexion détectée sur le port 15040 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_15040_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:15040 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:15040 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "471b6a75c785bae01391ab84cf664105099c05b3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.111190563551587, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 15040, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "4b9f500a59c0c9e8ac19b19e0c56460cab595d88", "event_fingerprint": "0c7c40a4b519f5f3ac13a316e13ca7aae0fd03ef", "classification_reason": "Type \u00ab port_15040_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "16a1c67549c14c61fea8bb1edd2319c5", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 15040, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_15040_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ccc26e4adc37783ea5e4a6141fd8dd23cdb561a9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 15040, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 15040 tcp \u00b7 via HTTP:15040 \u00b7 (sonde \/ probe)", "target_port_label": "15040 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_15040_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_15040_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 15040, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 15040, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 15040 tcp \u00b7 via HTTP:15040 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15040\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "15040 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "15040" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:52:04 UTC	TCP	1926 · HTTP	http	Sonde port 1926/TCP port 1926 tcp · via HTTP:1926 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1926 Chemin / cible / Preuve honeypot — Sonde port 1926/TCP Connexion détectée sur le port 1926 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_1926_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1926 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1926 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "4b66a72ecb86c8ba67df1520c0ec319a3bec5cd5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 1926, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c9d501b72562d850126f6363f78382419146df6b", "event_fingerprint": "bb94bbb78a4ae6ef95dac60fadbdd570226db29c", "classification_reason": "Type \u00ab port_1926_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "922c43998f036c6b2abeadab7dbbded7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1926, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_1926_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c97310d0c2ab343a6e423f71f824262a4482b815", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1926, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 1926 tcp \u00b7 via HTTP:1926 \u00b7 (sonde \/ probe)", "target_port_label": "1926 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_1926_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_1926_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1926, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1926, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 1926 tcp \u00b7 via HTTP:1926 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1926\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "1926 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1926" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
17/06/2026 11:49:45 UTC	TCP	6443 · K8S API	k8s-api	Sonde Kubernetes API kubernetes probe · via K8S API:6443 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur K8S-API WAF — Recommandation Surveiller Tags http_get_probe k8s_api_emulated k8s_api_payload kubernetes_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6443 Chemin / cible — Service K8S API Payload GET / HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Pourquoi cette classification : Type « kubernetes_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75", "emulator_response_len": 165, "bytes_in": 146, "payload_entropy": 5.105223190271739, "port_category": "registered", "org": "Google LLC", "service": "k8s-api", "app_proto": "k8s-api", "asn": 396982, "country": "BE", "dst_port": 6443, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 24, "tag_count": 5, "anomaly_count": 0, "campaign_key": "779b413768864c7b9c97862a39322b83a3bf76f5", "event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1", "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "k8s-api", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8d641efb351166415e6cf6cca04d8df7", "path_pattern_hash": "9911336c7fd1406c8e284bedc6c69f4b" }, "target_context": { "dst_port": 6443, "service": "k8s-api", "service_name": "k8s-api", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1a2035b96cf03c09b8e9416f0e35e1ef2442eae", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "kubernetes probe \u00b7 via K8S API:6443 \u00b7 (sonde \/ probe)", "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "k8s-api", "service_label_fr": "K8S API", "dst_port": 6443, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-k8s-api", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 6443, "service": "k8s-api", "service_label_fr": "K8S API" }, "attack_vector": "kubernetes probe \u00b7 via K8S API:6443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "6443 \u00b7 K8S API", "emulator_service": "k8s-api", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "k8s_api", "service_banner": "honeypot-k8s-api", "service_os": "linux", "dst_port": "6443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "k8s-api" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "k8s_api_emulated", "k8s_api_payload", "kubernetes_probe", "net_kubernetes_probe" ], "asn_dc_heuristic": true }
17/06/2026 11:48:42 UTC	TCP	18053 · HTTP	http	Sonde port 18053/TCP port 18053 tcp · via HTTP:18053 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18053 Chemin / cible / Preuve honeypot — Sonde port 18053/TCP Connexion détectée sur le port 18053 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_18053_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18053 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18053 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "083742adcbc242e2d2e472de05aed110441614b1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.105375917481701, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 18053, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "8415833f7461ab2e3002c8726957ad8b9e17d9be", "event_fingerprint": "7d8596eef1e3afa191fe84bff2a9442bdf80520f", "classification_reason": "Type \u00ab port_18053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d3807561c545471ab1b16b8b6c89101f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18053, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_18053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29667cd16cff7529e58c35db02363656bc37e0e6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18053, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 18053 tcp \u00b7 via HTTP:18053 \u00b7 (sonde \/ probe)", "target_port_label": "18053 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_18053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_18053_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18053, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18053, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 18053 tcp \u00b7 via HTTP:18053 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18053\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "18053 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18053" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:44:46 UTC	TCP	2443 · HTTP	http	Sonde port 2443/TCP port 2443 tcp · via HTTP:2443 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2443 Chemin / cible / Preuve honeypot — Sonde port 2443/TCP Connexion détectée sur le port 2443 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2443_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2443 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "6680a596a080b68a0307420a2ef462bf22e56485", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.096695022478339, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2443, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a9a70ae5a7dcb87d8f51eea021a5e13313444745", "event_fingerprint": "21d865811fe3e2d6fb9b2a4de06f4ae6a6b1b3a6", "classification_reason": "Type \u00ab port_2443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "206b3bf1c5db28329bcb5c67f3fa0b03", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2443, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5cf64d204fd1d769365866cdba4dccad2584b5df", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2443 tcp \u00b7 via HTTP:2443 \u00b7 (sonde \/ probe)", "target_port_label": "2443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2443_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2443, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2443 tcp \u00b7 via HTTP:2443 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2443\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:44:07 UTC	TCP	8503 · HTTP	http	Sonde port 8503/TCP port 8503 tcp · via HTTP:8503 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8503 Chemin / cible / Preuve honeypot — Sonde port 8503/TCP Connexion détectée sur le port 8503 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8503_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8503 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8503 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "35d50214dbec29f0dfbe752ce03d9b2e2cda1ee4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8503, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "dbbb1fc68ac2bea7ac8cb3d4b931ead2704b7b12", "event_fingerprint": "84fe241cdafa94a14e7b85d85e21f6b8a6af8cc7", "classification_reason": "Type \u00ab port_8503_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "0f420cad47b0eed492c2d3f9120de188", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8503, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8503_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a56b5e79b74bd68ce33855c9a649436056017b28", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8503, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8503 tcp \u00b7 via HTTP:8503 \u00b7 (sonde \/ probe)", "target_port_label": "8503 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8503_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8503_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8503, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8503, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8503 tcp \u00b7 via HTTP:8503 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8503\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8503 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8503" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
17/06/2026 11:43:25 UTC	TCP	5277 · HTTP	http	Sonde port 5277/TCP port 5277 tcp · via HTTP:5277 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5277 Chemin / cible / Preuve honeypot — Sonde port 5277/TCP Connexion détectée sur le port 5277 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5277_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5277 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5277 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "07ec9f6a2fa67842ff73d9b50fd3510e055fbf9e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5277, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "6a8841c96e1294157450252d0e8a21921132fd1e", "event_fingerprint": "e0c456f67c8aec4de341b7558435caea1a9cddac", "classification_reason": "Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c325bd62d9afdcda72c0716edd92432d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5277, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b4fdb323d05d9e38c0e839dc0761e9bb2f1b7d98", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5277, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5277 tcp \u00b7 via HTTP:5277 \u00b7 (sonde \/ probe)", "target_port_label": "5277 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5277_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5277, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5277, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5277 tcp \u00b7 via HTTP:5277 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5277\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5277 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5277" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 11:41:52 UTC	TCP	5905 · HTTP	http	Sonde port 5905/TCP port 5905 tcp · via HTTP:5905 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5905 Chemin / cible / Preuve honeypot — Sonde port 5905/TCP Connexion détectée sur le port 5905 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5905_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5905 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5905 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "ed52fc20425c831736f6d9303c5bd5a3139af829", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5905, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "6c9834d7632e946d0db94a9d6863d66ab7f2e597", "event_fingerprint": "a22123f878a787a3d13d0f0215a0e9b7aa43fc16", "classification_reason": "Type \u00ab port_5905_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "65f724cfc234291427d4f51795d62335", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5905, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5905_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "abdb89db3c7127dc6f7bde75f7495bf3b0ba3a16", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5905, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5905 tcp \u00b7 via HTTP:5905 \u00b7 (sonde \/ probe)", "target_port_label": "5905 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5905_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5905_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5905, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5905, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5905 tcp \u00b7 via HTTP:5905 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5905\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5905 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5905" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 10:09:53 UTC	TCP	6581 · HTTP	http	Sonde port 6581/TCP port 6581 tcp · via HTTP:6581 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6581 Chemin / cible / Preuve honeypot — Sonde port 6581/TCP Connexion détectée sur le port 6581 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_6581_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6581 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6581 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8554b939d950cad1b9dbf00d409b9cc96b821ae0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.105907200340986, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 6581, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c699b0fa0728ffdb3896e2f1d8a6971bdc804602", "event_fingerprint": "b173b2eb678ec7e4d555a5bec4c19948d3eee588", "classification_reason": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "fd454b7d6eecda32f72f65473527ae97", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6581, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3eb4af79ba01ea0fb6a149b829bcd5db376c7937", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 6581, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 6581 tcp \u00b7 via HTTP:6581 \u00b7 (sonde \/ probe)", "target_port_label": "6581 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6581, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 6581, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 6581 tcp \u00b7 via HTTP:6581 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "6581 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6581" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 10:09:28 UTC	TCP	92 · HTTP	http	Sonde port 92/TCP port 92 tcp · via HTTP:92 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 92 Chemin / cible / Preuve honeypot — Sonde port 92/TCP Connexion détectée sur le port 92 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_92_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:92 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:92 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8f3bdd55ce4b383f39aae6f716b49d3bd5c78829", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 144, "payload_entropy": 5.086680058107535, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 92, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "80c3e530add6b73cf493434d2df4ad2c9228b734", "event_fingerprint": "5e262ce9a60ce80b02d0520c75310c7186661f4b", "classification_reason": "Type \u00ab port_92_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2cc3e8d090053bb83ec2567897167ec5", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 92, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "classification_reason": "Type \u00ab port_92_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6c2ad6140d4fdcc89007ceb09510f414305abd8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 92, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "attack_vector": "port 92 tcp \u00b7 via HTTP:92 \u00b7 (sonde \/ probe)", "target_port_label": "92 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_92_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_92_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 92, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 92, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 92 tcp \u00b7 via HTTP:92 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:92\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "target_port_label": "92 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "92" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 10:08:46 UTC	TCP	16054 · HTTP	http	Sonde port 16054/TCP port 16054 tcp · via HTTP:16054 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16054 Chemin / cible / Preuve honeypot — Sonde port 16054/TCP Connexion détectée sur le port 16054 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16054_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16054 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16054 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "9fbd90b220473c06544216edbb7a153aa4f594fb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.116325852681951, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16054, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "165be7cd1368020df76b3ee8eb938415245f4688", "event_fingerprint": "14bc20fa3742fd46fcd03f1beaa38bc2a2ab7642", "classification_reason": "Type \u00ab port_16054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "86ffe2f1f6e286d11db20cc47f9dc7b4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16054, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "417fbc5a044c448c1349106be9506905d39cb622", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16054, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16054 tcp \u00b7 via HTTP:16054 \u00b7 (sonde \/ probe)", "target_port_label": "16054 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16054_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16054, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16054, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16054 tcp \u00b7 via HTTP:16054 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16054\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16054 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16054" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 10:06:57 UTC	TCP	12579 · HTTP	http	Sonde port 12579/TCP port 12579 tcp · via HTTP:12579 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12579 Chemin / cible / Preuve honeypot — Sonde port 12579/TCP Connexion détectée sur le port 12579 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12579_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12579 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12579 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "4de770cbb6a23ff46e711e641f3197b01e9ef136", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.121461141812314, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12579, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "8c1263184ee4d9f8e080daf176302e928d07f350", "event_fingerprint": "5447f487fc2af9d260700041b7f04d9cd1fbfffc", "classification_reason": "Type \u00ab port_12579_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "61210fec4c3ab908fbb1c420d1c7446e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12579, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12579_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e71256fbc0fb87a6104cad21e45fb8544e944cae", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12579, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12579 tcp \u00b7 via HTTP:12579 \u00b7 (sonde \/ probe)", "target_port_label": "12579 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12579_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12579_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12579, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12579, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12579 tcp \u00b7 via HTTP:12579 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12579\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12579 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12579" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
17/06/2026 10:00:11 UTC	TCP	2376 · DOCKER TLS	docker-tls	docker tls probe docker tls probe · via DOCKER TLS:2376 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER-TLS WAF — Recommandation Surveiller Tags docker_api_probe docker_tls_emulated docker_tls_payload net_docker_tls_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2376 Chemin / cible — Service DOCKER TLS Payload �g�ښ�ٗ><��E�G�M��:/זVkY�q�� N� ��J�RS��1)�� Ҩ�s��x�h��V�,�0�+�/̨̩��̪��$�(�#�'� �� Pourquoi cette classification :* Type « docker_tls_probe » (signaux protocolaires) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 62 % — 5 signal(aux) capteur Protocole émulé 1 Signaux Docker Tls Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �g�ښ�ٗ><��E�G�M��:/זVkY�q�� N��J�RS��1)�� Ҩ�s��x�h��V�,�0�+�/̨̩��̪��$�(�#�'� �� Requête brute (extrait) �g�ښ�ٗ><��E�G�M��:/זVkY�q�� N� ��J�RS��1)�� Ҩ�s��x�h��V�,�0�+�/̨̩��̪��$�(�#�'� �� kg93��=<5/�] http/1.11 ( Meta JSON brut { "protocol_emulated": true, "emulator_response": "15030300020228", "emulator_response_len": 7, "bytes_in": 517, "payload_entropy": 4.384181172432159, "port_category": "registered", "org": "Google LLC", "service": "docker-tls", "app_proto": "docker-tls", "asn": 396982, "country": "BE", "dst_port": 2376, "risk_waf": 8, "risk_classification": 44, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 44, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10 }, "risk_score": 45, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8b17215afa683664673e4e271716fbb0ba8f91d8", "event_fingerprint": "0e1c691ada97ecfe1cd84524e4db6b819b7ed10b", "classification_reason": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 69, "precision_signals": [ "INT-docker-tls", "INT-upstream" ], "kb_rule_ids": [ "INT-docker-tls", "INT-upstream" ], "matched_patterns": [ "pat-0554", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 44, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 45, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "docker-tls", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "569086a9f70bdb64a60c5082418debad", "path_pattern_hash": "d32a2cff6903ffd31fff36df36da58ae" }, "target_context": { "dst_port": 2376, "service": "docker-tls", "service_name": "docker-tls", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\ufffd\u069a\ufffd\u0657><\ufffd\u001a\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd N\ufffd\u000b\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\u0019\ufffd\ufffd\ufffdx\ufffd\bh\ufffd\ufffd\u0000V\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\u0000\ufffd\u0000\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\ufffd\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\ufffd\u069a\ufffd\u0657><\ufffd\u001a\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd N\ufffd\u000b\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\u0019\ufffd\ufffd\ufffdx\ufffd\bh\ufffd\ufffd\u0000V\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\u0000\ufffd\u0000\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000k\u0000g\u00009\u00003\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001]\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000\u0010\u0000\u000b\u0000\t\bhttp\/1.1\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u00001\u0000\u0000\u0000\r\u0000\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\ufffd\u069a\ufffd\u0657><\ufffd\u001a\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd N\ufffd\u000b\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\u0019\ufffd\ufffd\ufffdx\ufffd\bh\ufffd\ufffd\u0000V\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\u0000\ufffd\u0000\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\ufffd\ufffd", "classification_reason": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab7a5fb0a5a9b4ac5cb0738e352d0a5269e3d729", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\ufffd\u069a\ufffd\u0657><\ufffd\u001a\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd N\ufffd\u000b\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\u0019\ufffd\ufffd\ufffdx\ufffd\bh\ufffd\ufffd\u0000V\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\u0000\ufffd\u0000\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\ufffd\ufffd", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "evidence_snippet": "\ufffdg\ufffd\u069a\ufffd\u0657><\ufffd\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd N\ufffd\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\ufffd\ufffd\ufffdx\ufffdh\ufffd\ufffdV\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\ufffd\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\ufffd\t\ufffd\ufffd\ufffd", "attack_vector": "docker tls probe \u00b7 via DOCKER TLS:2376 \u00b7 (sonde \/ probe)", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 62 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%", "classification_reason_label_fr": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 70, "confidence_breakdown": { "waf": 8, "classification": 44, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 10, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "docker-tls", "service_label_fr": "DOCKER TLS", "dst_port": 2376, "protocol_emulated": true, "tags_summary": [ "INT-docker-tls", "INT-upstream" ], "tags_summary_labels_fr": [ "Docker Tls", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-docker-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003g\ufffd\u069a\ufffd\u0657><\ufffd\u001a\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd N\ufffd\u000b\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\u0019\ufffd\ufffd\ufffdx\ufffd\bh\ufffd\ufffd\u0000V\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\u0000\ufffd\u0000\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\u0014\ufffd\t\ufffd\u0013\ufffd\ufffd", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "docker tls probe \u00b7 via DOCKER TLS:2376 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdg\ufffd\u069a\ufffd\u0657><\ufffd\ufffdE\ufffdG\ufffdM\ufffd\ufffd\ufffd:\/\u05d6VkY\ufffdq\ufffd\ufffd *N\ufffd\ufffd\ufffd\ufffdJ\ufffdRS\ufffd\ufffd1)\ufffd\ufffd \u04a8\ufffds\ufffd\ufffd\ufffdx\ufffdh\ufffd\ufffdV\ufffd,\ufffd0\ufffd+\ufffd\/\u0329\u0328\ufffd\ufffd\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd(\ufffd#\ufffd'\ufffd\n\ufffd\ufffd\t\ufffd\ufffd\ufffd", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 62 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker_tls", "service_banner": "honeypot-docker-tls", "service_os": "linux", "dst_port": "2376" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "docker-tls", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_tls_emulated", "docker_tls_payload", "net_docker_tls_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
17/06/2026 09:57:16 UTC	TCP	3187 · HTTP	http	Scan de ports port scan syn · via HTTP:3187 · (reconnaissance)	Élevée	Moyen · 43
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3187 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 43 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3187 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3187 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a9cd2b339e44f0bc47843105caf9187258cea729", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.113751358065142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3187, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2a1841cedf13321504bcd88435a2ea0567e47c2f", "event_fingerprint": "c72289375eda39b09b20d2cd49e8f63b1d0fc389", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d97e713f660963ed1b89d504415c0779", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3187, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "535abcc488fd67a484283a97cbb3dfa49b28ca26", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3187, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:3187 \u00b7 (reconnaissance)", "target_port_label": "3187 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3187, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3187, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:3187 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3187\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3187 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3187" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:57:01 UTC	TCP	10084 · HTTP	http	Sonde port 10084/TCP port 10084 tcp · via HTTP:10084 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10084 Chemin / cible / Preuve honeypot — Sonde port 10084/TCP Connexion détectée sur le port 10084 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_10084_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "540e9d6cf75ceab5610db03a51ece6182689e1da", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.129931294858822, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 10084, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a2182ab189042af8829c9c2917883b42a6f5938a", "event_fingerprint": "3e279a5c5121dc278dfc97874897034afb4e3cb1", "classification_reason": "Type \u00ab port_10084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "ec375c6e610b2083f8ab151c619cc137", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10084, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_10084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b68b688fd7dda4ad9e594a6edaa235241aaa0e2", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10084, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 10084 tcp \u00b7 via HTTP:10084 \u00b7 (sonde \/ probe)", "target_port_label": "10084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_10084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_10084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10084, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10084, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 10084 tcp \u00b7 via HTTP:10084 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "10084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10084" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:56:17 UTC	TCP	3160 · HTTP	http	Sonde port 3160/TCP port 3160 tcp · via HTTP:3160 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3160 Chemin / cible / Preuve honeypot — Sonde port 3160/TCP Connexion détectée sur le port 3160 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3160_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3160 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3160 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "2ed477da899e82f66276bb76f09136174338ef7d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.086354097791168, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3160, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "fbf99c1bfcbe1872d5701d3b720b729e891ce92a", "event_fingerprint": "c4738b10ef0f4f52fe98066ba2f7345554f1790e", "classification_reason": "Type \u00ab port_3160_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "737bd04e98ebc2c6d2e6f773e68e9328", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3160, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3160_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5afca960d3f086d07107a3e5986a034ca9249523", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3160, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3160 tcp \u00b7 via HTTP:3160 \u00b7 (sonde \/ probe)", "target_port_label": "3160 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3160_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3160_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3160, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3160, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3160 tcp \u00b7 via HTTP:3160 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3160\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3160 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3160" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:55:21 UTC	TCP	12438 · HTTP	http	Sonde port 12438/TCP port 12438 tcp · via HTTP:12438 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12438 Chemin / cible / Preuve honeypot — Sonde port 12438/TCP Connexion détectée sur le port 12438 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12438_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12438 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12438 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8a3680fdfae7a56dbd5f149628ca99aab819cc84", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.1156464957424275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12438, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "24967444344d35e37c37ed94fa53f5260d3c3b8e", "event_fingerprint": "1190d7b6237db51684398d3527b26e8b892f5fa0", "classification_reason": "Type \u00ab port_12438_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "bd5ee5baaf8c4c4779e315c697b8a7a6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12438, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12438_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b2a567d29bfbcadb6d925587aff957b7f3a79f3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12438, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12438 tcp \u00b7 via HTTP:12438 \u00b7 (sonde \/ probe)", "target_port_label": "12438 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12438_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12438_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12438, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12438, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12438 tcp \u00b7 via HTTP:12438 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12438\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12438 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12438" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:52:50 UTC	TCP	2233 · HTTP	http	Sonde port 2233/TCP port 2233 tcp · via HTTP:2233 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2233 Chemin / cible / Preuve honeypot — Sonde port 2233/TCP Connexion détectée sur le port 2233 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2233_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2233 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2233 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8a2219fe58e56afba0b4a684c9ccbff172c05a2d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.058956837517196, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2233, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "aa4287b556acd10fb4260f770225c99c964f0e00", "event_fingerprint": "c5ab926cbab4c59146b6a30e32c4cd555192dd3d", "classification_reason": "Type \u00ab port_2233_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2f3f4afbe303d4e6ca33256dc2c68f1b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2233, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2233_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3bcd3e3a74396509de3f1f9d6bbf64cd250fd6e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2233, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2233 tcp \u00b7 via HTTP:2233 \u00b7 (sonde \/ probe)", "target_port_label": "2233 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2233_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2233_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2233, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2233, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2233 tcp \u00b7 via HTTP:2233 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2233\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2233 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2233" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:52:29 UTC	TCP	3791 · HTTP	http	Sonde port 3791/TCP port 3791 tcp · via HTTP:3791 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3791 Chemin / cible / Preuve honeypot — Sonde port 3791/TCP Connexion détectée sur le port 3791 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3791_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3791 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3791 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "c92f419799071a067facb1b9803e10b7f3ade8d8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.113751358065142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3791, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "6292c1d89ded0f6ba37807832bac9398e1092ebf", "event_fingerprint": "27e50220915060ee40dc37169c4e7789708f01a0", "classification_reason": "Type \u00ab port_3791_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "98157ebf370f380529a81b6b523fffbe", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3791, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3791_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3304b6f955f07cf5186c6501598fddbc6a1df5f8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3791, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3791 tcp \u00b7 via HTTP:3791 \u00b7 (sonde \/ probe)", "target_port_label": "3791 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3791_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3791_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3791, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3791, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3791 tcp \u00b7 via HTTP:3791 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3791\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3791 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3791" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:49:01 UTC	TCP	9773 · HTTP	http	Sonde port 9773/TCP port 9773 tcp · via HTTP:9773 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9773 Chemin / cible / Preuve honeypot — Sonde port 9773/TCP Connexion détectée sur le port 9773 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9773_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9773 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9773 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "451b6f4efd39a7a368d8700d887e8057a78615d3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.118921820408727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9773, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a45820a3337bbfa42f7b40342d76e1e9a5d4c8b4", "event_fingerprint": "f0e64cd53dfc6e4cb2efd3da95de6856629d3f91", "classification_reason": "Type \u00ab port_9773_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f9b35038222f70159b9ad1d1909731a8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9773, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9773_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0cf9f2da41d676f938f72309309501a827a8dfca", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9773, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9773 tcp \u00b7 via HTTP:9773 \u00b7 (sonde \/ probe)", "target_port_label": "9773 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9773_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9773_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9773, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9773, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9773 tcp \u00b7 via HTTP:9773 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9773 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9773" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:47:53 UTC	TCP	6070 · HTTP	http	Scan de ports port scan syn · via HTTP:6070 · (reconnaissance)	Élevée	Moyen · 43
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6070 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 43 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6070 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6070 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "2f5439e39a81874c8b0d45b8963e93db552c6504", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 6070, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 1, "campaign_key": "fbe9b0996fa5aa2fa1b11c3b2b774f36e2020f7b", "event_fingerprint": "40ed6784a4b30820bb5cb64ca3f0dff01bbe78e6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "8fb32ce3a86d8fc1c41cce85de36de1f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6070, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf301add45ba6d882287d41faa8825d72742dfa4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 6070, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:6070 \u00b7 (reconnaissance)", "target_port_label": "6070 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6070, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 6070, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6070 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6070\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "6070 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6070" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:47:18 UTC	TCP	8151 · HTTP	http	Scan de ports port scan syn · via HTTP:8151 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8151 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8151 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8151 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "c0e9f3fe1d72f7c923c20f8e4a2219e821f8fb88", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.097379032547585, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8151, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "15c483fef83362d7c0548d528355467f92c1da76", "event_fingerprint": "c46f70f9e6efca558ff30430bdc7621fb9519612", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2d336ebea711b94e68283b01d2aa4c3a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8151, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b4e9e5f6914844e9ffc07010e3a5c7bfc5e3693e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8151, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8151 \u00b7 (reconnaissance)", "target_port_label": "8151 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8151, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8151, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8151 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8151\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8151 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8151" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:46:57 UTC	TCP	12382 · HTTP	http	Scan de ports port scan syn · via HTTP:12382 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12382 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12382 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12382 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "1baf5d598c3a460af4b59a778b7f6cb1d98ff7e7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.0910911183653065, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12382, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "51b9854209b6ff079f4add92dbbb5b54ff4425e4", "event_fingerprint": "26d3b76f3a74f55a8789485162c59cdad9afc77c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2a9d0786e66d66917f36a45868f45128", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12382, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "23188fc5fa01bc57c1657d79414be226a34d2c47", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12382, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:12382 \u00b7 (reconnaissance)", "target_port_label": "12382 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12382, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12382, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:12382 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12382\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12382 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12382" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 2121, 2567, 9550, 12382 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:46:45 UTC	TCP	2121 · HTTP	http	Scan de ports port scan syn · via HTTP:2121 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2121 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2121 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2121 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "0d8ced431957ed543d38612082407234ae7cda34", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.069297762204367, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2121, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "bd6e331dca8d9c1fa901e0b8e87cfb9a04383c31", "event_fingerprint": "eb38139cd7e4f48e500a7907790c3d75774c6b40", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "bb454a4937f0577ff87636731399140c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2121, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a109aa7f5a94998677da6bf4d8509abc2e7b348c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2121, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:2121 \u00b7 (reconnaissance)", "target_port_label": "2121 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2121, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2121, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2121 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2121 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2121" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
17/06/2026 09:46:16 UTC	TCP	9550 · HTTP	http	Sonde port 9550/TCP port 9550 tcp · via HTTP:9550 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9550 Chemin / cible / Preuve honeypot — Sonde port 9550/TCP Connexion détectée sur le port 9550 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9550_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9550 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9550 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "68345e4d0f5b5c1cd9b6688bb09b357c67b6bb66", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9550, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2e31d0124ade9f8cb3a9e0b3ccff198af63cd54e", "event_fingerprint": "caece6e50471649897664ff6a039105c08686571", "classification_reason": "Type \u00ab port_9550_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "b6ec9a087ba297dde978ad0dadb23f19", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9550, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9550_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "63f33b747410260aef33251df9f75b7dbe754fff", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9550, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9550 tcp \u00b7 via HTTP:9550 \u00b7 (sonde \/ probe)", "target_port_label": "9550 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9550_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9550_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9550, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9550, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9550 tcp \u00b7 via HTTP:9550 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9550\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9550 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9550" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 09:46:14 UTC	TCP	2567 · HTTP	http	Sonde port 2567/TCP port 2567 tcp · via HTTP:2567 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2567 Chemin / cible / Preuve honeypot — Sonde port 2567/TCP Connexion détectée sur le port 2567 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2567_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2567 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2567 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d661e1797684f4b5e93468b2c79f68ac7ceee5fb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2567, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "6fcd0d79a739abb6e3b9c2185d82229c654693e1", "event_fingerprint": "c59e8f69e716f4cc6c7fdee2fc2e74a212c105a2", "classification_reason": "Type \u00ab port_2567_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "ad2dc39aa3d0a0a84220e49acf0c06a9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2567, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2567_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbf4b04e21180df0af87beaf677afa9611bf4b25", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2567, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2567 tcp \u00b7 via HTTP:2567 \u00b7 (sonde \/ probe)", "target_port_label": "2567 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2567_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2567_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2567, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2567, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2567 tcp \u00b7 via HTTP:2567 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2567\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2567 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2567" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }

34.78.120.132

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence