Renseignement sur les menaces

Belgique

34.79.151.177

FAI Google LLC Première vue 18/05/2026 06:07 UTC Dernière vue 16/06/2026 08:39 UTC Risque Critique

Période analysée : 2026-06-15 → 2026-06-16

Activité suspecte · risque 38/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 85/100 Critique

Première observation 18/05/2026 06:07 UTC

Dernière observation 16/06/2026 08:39 UTC

Événements (période) 87

MITRE ATT&CK principal TA0007 151 occurrences

Activité suspecte · risque 38/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_8024_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 32 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.79.144.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 87 événements sur la période pour cette IP.

34.140.129.51 Sonde port 3187/TCP 16/06/2026 08:42 UTC
34.52.137.61 Sonde port 3130/TCP 16/06/2026 08:42 UTC
34.77.217.12 Sonde port 3105/TCP 16/06/2026 08:41 UTC
34.78.23.28 Sonde port 27972/TCP 16/06/2026 08:41 UTC
34.79.87.63 Sonde port 9700/TCP 16/06/2026 08:41 UTC
34.38.195.167 Sonde port 4430/TCP 16/06/2026 08:40 UTC
34.78.243.65 Sonde port 8029/TCP 16/06/2026 08:40 UTC
34.78.189.165 Sonde port 16084/TCP 16/06/2026 08:40 UTC

Événements (filtres)

Première observation

18/05/2026 06:07 UTC

Dernière observation

16/06/2026 08:39 UTC

Dernière activité (filtres)

16/06/2026 08:39 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 84 I2P ROUTER TCP 1 KERBEROS TCP 1 POSTGRES TCP 1

HTTP

I2P ROUTER

KERBEROS

POSTGRES

Géolocalisation

Origine réseau déclarée

Belgique unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 598 Port 21025 port_21025_tcp

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

port 8024 tcp · via HTTP:8024 · (sonde / probe)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: python-requests/2.32.5

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:8024 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connecti

Port / service

8024 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

55%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

87 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

87 événement(s) — page 2/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 11:15:29 UTC	TCP	9186 · HTTP	http	Sonde port 9186/TCP port 9186 tcp · via HTTP:9186 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9186 Chemin / cible / Preuve honeypot — Sonde port 9186/TCP Connexion détectée sur le port 9186 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9186_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9186 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9186 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a5d6923a6cdebc39eeb14d77b93aad0b6893cf46", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9186, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "aa8b9fcd205f1c38f0c361492ebd3fc026c4d48f", "event_fingerprint": "c1fc7929f4845f88c5f129990326c82ed68feb4b", "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "524b32e88c7754781369a1b7fb3412d9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9186, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e23a206082640d6b7f464453d1fb312a1e70f8e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9186 tcp \u00b7 via HTTP:9186 \u00b7 (sonde \/ probe)", "target_port_label": "9186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9186, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9186 tcp \u00b7 via HTTP:9186 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:13:44 UTC	TCP	28017 · HTTP	http	Sonde port 28017/TCP port 28017 tcp · via HTTP:28017 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible / Preuve honeypot — Sonde port 28017/TCP Connexion détectée sur le port 28017 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_28017_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28017 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28017 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f6f10f81c6b0e62a7d97bf9d7a2fb3e11f56b5bd", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.126596430942677, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 28017, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "25a2a2a21d9e51a847b85b25e4792b50d46d3350", "event_fingerprint": "e90b7319220c01c657341d9435bbe5b022cfa4e6", "classification_reason": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "51a7bc5fc96faad218591b8931dc07ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "20de07b3eba31cd9c48776ce27feb8f9d06f553b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 28017 tcp \u00b7 via HTTP:28017 \u00b7 (sonde \/ probe)", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 28017 tcp \u00b7 via HTTP:28017 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:09:14 UTC	TCP	10205 · HTTP	http	Sonde port 10205/TCP port 10205 tcp · via HTTP:10205 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10205 Chemin / cible / Preuve honeypot — Sonde port 10205/TCP Connexion détectée sur le port 10205 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_10205_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10205 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10205 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "870dce7c1087253c320adce74b0aa4af7af8ff03", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.089114968328208, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 10205, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5091ffcdc154e796ea60a718b82a1e3322b205ab", "event_fingerprint": "8941002d5c431568cc9194a1e0ff234c146d5e9c", "classification_reason": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "90925aa04369759fcf1b09b7db5af839", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10205, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e0c7b72e833e32df3ad343c5c4563358e99157a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10205, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 10205 tcp \u00b7 via HTTP:10205 \u00b7 (sonde \/ probe)", "target_port_label": "10205 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10205, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10205, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 10205 tcp \u00b7 via HTTP:10205 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "10205 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10205" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:06:31 UTC	TCP	9082 · HTTP	http	Scan de ports port scan syn · via HTTP:9082 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9082 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "0fe40ab70afe675223d923f1cb4a4eb33854af7a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9082, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "414119e58a10b16d507f63953d201f915322c0b9", "event_fingerprint": "2e38907e79c656013ee36456a9f6870118c4c25b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5e00e103173ff3367cdfa8a1eae2cbf9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9082, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "338c894cae847b431074f406780baf27aeaaaf3a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9082, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:9082 \u00b7 (reconnaissance)", "target_port_label": "9082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9082, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9082, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9082 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:06:00 UTC	TCP	5246 · HTTP	http	Sonde port 5246/TCP port 5246 tcp · via HTTP:5246 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5246 Chemin / cible / Preuve honeypot — Sonde port 5246/TCP Connexion détectée sur le port 5246 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5246_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5246 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5246 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "e398efbc621bbfb5a20ccb13b83c2662d4dfaa7a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5246, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b1325dabf2828bc7811f5332a7ef1200a699ffaf", "event_fingerprint": "947ba1e5b1e69d034d015d539976710c9de501e5", "classification_reason": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "53389bec203bb3ec20a3b558b164d48d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5246, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9806c2fa731a714e7223126bdac415bf1b41632a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5246, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5246 tcp \u00b7 via HTTP:5246 \u00b7 (sonde \/ probe)", "target_port_label": "5246 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5246, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5246, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5246 tcp \u00b7 via HTTP:5246 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5246 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5246" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:05:41 UTC	TCP	5500 · HTTP	http	Sonde port 5500/TCP port 5500 tcp · via HTTP:5500 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5500 Chemin / cible / Preuve honeypot — Sonde port 5500/TCP Connexion détectée sur le port 5500 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5500_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5500 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5500 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d5ab7fa32d29570115e28396cdbd8369873b3cf0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.0836804024105975, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5500, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "4dd0db472d1eb5b0fddcac2248181138b69acf0c", "event_fingerprint": "9b3a4e8b3a6712530cdd56226d5f6883334bb230", "classification_reason": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cb4e3523a4d95f49bce78912ac5ef808", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5500, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3ce54f89813e58173e51955bd4ac0eb641140e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5500, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5500 tcp \u00b7 via HTTP:5500 \u00b7 (sonde \/ probe)", "target_port_label": "5500 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5500, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5500, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5500 tcp \u00b7 via HTTP:5500 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5500 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5500" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:04:13 UTC	TCP	16084 · HTTP	http	Sonde port 16084/TCP port 16084 tcp · via HTTP:16084 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16084 Chemin / cible / Preuve honeypot — Sonde port 16084/TCP Connexion détectée sur le port 16084 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16084_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "e4ab5a33d23a41dc629cb3bbbe70dfca8195d3b4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.135066583989185, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16084, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "7708e5f04573d506d199e979ad4fc681e6e155d5", "event_fingerprint": "cf67387f82b2e9c4b05fa5d2b420b5476154ee72", "classification_reason": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "3a77cc59ec1a0f63d9ded0d70b610a00", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16084, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ebb4ca4a4d07e8f7b55242c15f2bd4ec269c059", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16084, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16084 tcp \u00b7 via HTTP:16084 \u00b7 (sonde \/ probe)", "target_port_label": "16084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16084, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16084, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16084 tcp \u00b7 via HTTP:16084 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16084" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:02:31 UTC	TCP	8029 · HTTP	http	Sonde port 8029/TCP port 8029 tcp · via HTTP:8029 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8029 Chemin / cible / Preuve honeypot — Sonde port 8029/TCP Connexion détectée sur le port 8029 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8029_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8029 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8029 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5b13defe117186e4a1c5b832de4de9174465c300", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8029, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5ebd29178718dd4fbff4022cbfcd0bb6e894bcbb", "event_fingerprint": "18d0437aa9e9a8677630eedee8ebbef73b72f1c5", "classification_reason": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "b3e01838a083bc1a15952c13ec6451a6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8029, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95ce79cac16cf33e9bc6e9bedec2ff08b05aee91", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8029, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8029 tcp \u00b7 via HTTP:8029 \u00b7 (sonde \/ probe)", "target_port_label": "8029 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8029, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8029, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8029 tcp \u00b7 via HTTP:8029 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8029 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8029" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:01:22 UTC	TCP	8008 · HTTP	http	Sonde port 8008/TCP port 8008 tcp · via HTTP:8008 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8008 Chemin / cible / Preuve honeypot — Sonde port 8008/TCP Connexion détectée sur le port 8008 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8008_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8008, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "753a881df9b8677b76444edb8fa5d5fcb063f324", "event_fingerprint": "3f7a78bbd783cb6e677f8fa91167c9c1845d1d91", "classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "3a4f3033561765a1e9c4a7e5edd7a68f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8008, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61c01547d97e663217550356f64f503ff31e7c1b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8008 tcp \u00b7 via HTTP:8008 \u00b7 (sonde \/ probe)", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8008, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8008 tcp \u00b7 via HTTP:8008 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 10:58:46 UTC	TCP	7403 · HTTP	http	Sonde port 7403/TCP port 7403 tcp · via HTTP:7403 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7403 Chemin / cible / Preuve honeypot — Sonde port 7403/TCP Connexion détectée sur le port 7403 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_7403_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7403 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7403 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "3571f43733b6532de4007d53aa227ab3a9a3e3c3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.118921820408727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 7403, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "786a1fec3563fd4b5fffbb3e868bc12866438c86", "event_fingerprint": "ec44033dba96ee153d340f490907844f66fe6faa", "classification_reason": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "4bc11ee04a38f7efe23f3e6d117c13be", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7403, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46bcad90795901ff7436a59b298c9885788c285e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7403, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 7403 tcp \u00b7 via HTTP:7403 \u00b7 (sonde \/ probe)", "target_port_label": "7403 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7403, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7403, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 7403 tcp \u00b7 via HTTP:7403 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "7403 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7403" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:58:32 UTC	TCP	18065 · HTTP	http	Sonde port 18065/TCP port 18065 tcp · via HTTP:18065 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18065 Chemin / cible / Preuve honeypot — Sonde port 18065/TCP Connexion détectée sur le port 18065 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_18065_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18065 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18065 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "af9be5badc9c5e9d46eed960b054f19d5e20c974", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.116325852681951, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 18065, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b5c822fb5ef6938e8d60c8a79b4894baff5370ab", "event_fingerprint": "ab6b980208a5075999cb372113f5da614e25b7ee", "classification_reason": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "770a309b80360ee19fa8817cf70fb52b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18065, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "decae96d3a0288ddc6c97ee6ee11695e3fbe36cf", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18065, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 18065 tcp \u00b7 via HTTP:18065 \u00b7 (sonde \/ probe)", "target_port_label": "18065 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18065, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18065, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 18065 tcp \u00b7 via HTTP:18065 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "18065 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18065" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:52:39 UTC	TCP	16101 · HTTP	http	Sonde port 16101/TCP port 16101 tcp · via HTTP:16101 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16101 Chemin / cible / Preuve honeypot — Sonde port 16101/TCP Connexion détectée sur le port 16101 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16101_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16101 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16101 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d810d7f123af62e9f5af89ffce54c688c1d4ef7e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.088435611388687, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16101, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e1969f813a9b37a896d6028b3a148606462f98f1", "event_fingerprint": "9ca86534d8db11c5666b1fefcaead6f9e9fdec8c", "classification_reason": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cf101412780f316c271a83190ae828a7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16101, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "21ed88b805acf0423453bfede2d171a2df2582eb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16101, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16101 tcp \u00b7 via HTTP:16101 \u00b7 (sonde \/ probe)", "target_port_label": "16101 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16101, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16101, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16101 tcp \u00b7 via HTTP:16101 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16101 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16101" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:51:17 UTC	TCP	8852 · HTTP	http	Sonde port 8852/TCP port 8852 tcp · via HTTP:8852 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8852 Chemin / cible / Preuve honeypot — Sonde port 8852/TCP Connexion détectée sur le port 8852 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8852_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8852 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8852 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5f22562223a3c629bf7275e6afccf0f6abce8015", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8852, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c7027851ef0791e3c08e9ddb18a42ae9c9cc89ed", "event_fingerprint": "7a30a6bbc21df2772a4c27d9dedd22e8d2f0aff3", "classification_reason": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "47c55ff31e1aeedf8d509d41666cfe2a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8852, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dcbaf3e451661c04993a27e2b97e5174f3590a3c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8852, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8852 tcp \u00b7 via HTTP:8852 \u00b7 (sonde \/ probe)", "target_port_label": "8852 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8852, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8852, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8852 tcp \u00b7 via HTTP:8852 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8852 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8852" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:50:05 UTC	TCP	20182 · HTTP	http	Sonde port 20182/TCP port 20182 tcp · via HTTP:20182 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20182 Chemin / cible / Preuve honeypot — Sonde port 20182/TCP Connexion détectée sur le port 20182 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_20182_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20182 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20182 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "0abc9b7f2450bad5b31261d08cbb10b64f7228cc", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.102041053565556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 20182, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "9734153f12d46fe2cb3870bc2027445b2a44c152", "event_fingerprint": "16e9a83cf3eec0fd256966ca14f915dc2f12ea2e", "classification_reason": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "0b12197bc26c7c7fccd14df008878766", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20182, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f500a96c9dcfa117995c6dc288673e441eedd45", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20182, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 20182 tcp \u00b7 via HTTP:20182 \u00b7 (sonde \/ probe)", "target_port_label": "20182 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20182, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20182, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 20182 tcp \u00b7 via HTTP:20182 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "20182 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20182" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:46:27 UTC	TCP	8112 · HTTP	http	Sonde port 8112/TCP port 8112 tcp · via HTTP:8112 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8112 Chemin / cible / Preuve honeypot — Sonde port 8112/TCP Connexion détectée sur le port 8112 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8112_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8112 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8112 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d87c9eb95a0723896f979762e39c08249592bad6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094021327097768, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8112, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "385e7e02799731e55a0293b89bda963da30fdd46", "event_fingerprint": "0c7367b6ede38ab0f2e2fe34949721f46ab92b9b", "classification_reason": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "55bb0f5695a134b5c3201641216c7c26", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8112, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d9c5a063671fe4b70390737c2916ee216070b25", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8112, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8112 tcp \u00b7 via HTTP:8112 \u00b7 (sonde \/ probe)", "target_port_label": "8112 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8112, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8112, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8112 tcp \u00b7 via HTTP:8112 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8112 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8112" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:43:39 UTC	TCP	16036 · HTTP	http	Sonde port 16036/TCP port 16036 tcp · via HTTP:16036 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16036 Chemin / cible / Preuve honeypot — Sonde port 16036/TCP Connexion détectée sur le port 16036 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16036_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16036 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16036 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "65f4f1ac66a18640149fce5fdd6d3dfdab799c39", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.09177047530483, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16036, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "25f6ca300654d04c1ac14c9ef2e6c34644fab2c3", "event_fingerprint": "f463fd97603fbaa82cc82699d58161468b7d7e8a", "classification_reason": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c3ad1bae32e2640999f966c4f8ee4b79", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16036, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91fdcbd9d569933694459b544f3f3f6983b718b7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16036, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16036 tcp \u00b7 via HTTP:16036 \u00b7 (sonde \/ probe)", "target_port_label": "16036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16036, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16036, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16036 tcp \u00b7 via HTTP:16036 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16036" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "kerberos" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:42:54 UTC	TCP	8315 · HTTP	http	Sonde port 8315/TCP port 8315 tcp · via HTTP:8315 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8315 Chemin / cible / Preuve honeypot — Sonde port 8315/TCP Connexion détectée sur le port 8315 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8315_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8315 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8315 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cda5e12821a0801e4561020ceca21579813cd0e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094882265584569, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8315, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e4ee6aaf9adf41cdcd6cb0d5fddd8f178fdcf432", "event_fingerprint": "c261907cb7db5bcea93a9a5f3d3f4b08e8b5e7b9", "classification_reason": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "dcb4920ca2415a0a27c3eedae15184fb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8315, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4320b31daca8cbd022548a0dc524b30c10cf08dd", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8315, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8315 tcp \u00b7 via HTTP:8315 \u00b7 (sonde \/ probe)", "target_port_label": "8315 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8315, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8315, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8315 tcp \u00b7 via HTTP:8315 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8315 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8315" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "kerberos" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:39:40 UTC	TCP	88 · KERBEROS	kerberos	kerberos kerberos · via KERBEROS:88 · (sonde / probe)	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur KERBEROS WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 88 Chemin / cible — Service KERBEROS Payload GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection Pourquoi cette classification : Type « kerberos » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "6e82000c0a104142434445464748494a", "emulator_response_len": 16, "bytes_in": 144, "payload_entropy": 5.095326672675844, "port_category": "well_known", "org": "Google LLC", "service": "kerberos", "app_proto": "kerberos", "asn": 396982, "country": "BE", "dst_port": 88, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 40, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8e9cb969ceab740c93efec9e791ca73d858fd046", "event_fingerprint": "31e4a798ccff9624b861a6d5c96061ad06a8a14c", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 40, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "kerberos", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "862c98f4f87aade808def214326da0d1", "path_pattern_hash": "d6f845779b5f0a377f3854eb15f1b5b6" }, "target_context": { "dst_port": 88, "service": "kerberos", "service_name": "kerberos", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "886a4e953728471245d0253c3df8c9b2c7efc1c1", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "port": 88, "service": "kerberos", "service_label_fr": "KERBEROS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "attack_vector": "kerberos \u00b7 via KERBEROS:88 \u00b7 (sonde \/ probe)", "target_port_label": "88 \u00b7 KERBEROS", "emulator_service": "kerberos", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 40, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "kerberos", "service_label_fr": "KERBEROS", "dst_port": 88, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-kerberos", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "port": 88, "service": "kerberos", "service_label_fr": "KERBEROS" }, "attack_vector": "kerberos \u00b7 via KERBEROS:88 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "target_port_label": "88 \u00b7 KERBEROS", "emulator_service": "kerberos", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kerberos", "service_banner": "honeypot-kerberos", "service_os": "linux", "dst_port": "88" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "kerberos" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ], "asn_dc_heuristic": true }
15/06/2026 10:39:19 UTC	TCP	5089 · HTTP	http	Sonde port 5089/TCP port 5089 tcp · via HTTP:5089 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5089 Chemin / cible / Preuve honeypot — Sonde port 5089/TCP Connexion détectée sur le port 5089 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5089_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5089 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5089 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "dc7bc0302a32528383c37d758790ae6af84dd352", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5089, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a1b326a47ff210dc048f8541f646b10b0b55543d", "event_fingerprint": "2669fa775dd319fd1948871042c28d31462a94f5", "classification_reason": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "be9e1acddfc69f7d82103683fd36148f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5089, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2981d713069fd073d26690619a3648abacb8593f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5089, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5089 tcp \u00b7 via HTTP:5089 \u00b7 (sonde \/ probe)", "target_port_label": "5089 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5089, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5089, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5089 tcp \u00b7 via HTTP:5089 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5089 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5089" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:38:25 UTC	TCP	5245 · HTTP	http	Sonde port 5245/TCP port 5245 tcp · via HTTP:5245 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5245 Chemin / cible / Preuve honeypot — Sonde port 5245/TCP Connexion détectée sur le port 5245 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5245_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5245 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5245 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "dc28fc4fcf7cbe002d56c5bd9ea44345a7eb3411", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094021327097768, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5245, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "817146a1c8bcd373bb5dc1d84f32c317efbdb033", "event_fingerprint": "a300a3bd63fb4644e532ebb4b1c042beac2e77f6", "classification_reason": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d85bd5493e18720fcc0861c6d054ffa9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5245, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "826abf0878a20815fd184999b39146fe1cc895d1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5245, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5245 tcp \u00b7 via HTTP:5245 \u00b7 (sonde \/ probe)", "target_port_label": "5245 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5245, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5245, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5245 tcp \u00b7 via HTTP:5245 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5245 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5245" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:37:27 UTC	TCP	23184 · HTTP	http	Sonde port 23184/TCP port 23184 tcp · via HTTP:23184 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23184 Chemin / cible / Preuve honeypot — Sonde port 23184/TCP Connexion détectée sur le port 23184 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_23184_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:23184 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:23184 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "628e474ed30883e5359a37cfca895f69b638bcb0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.1156464957424275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 23184, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "0f99f8f20def58b66017be320130df9da3f0319d", "event_fingerprint": "a43584be358e4b33a7ec270c14426052f49902ca", "classification_reason": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "ee5f9d8a3ec4ad9e19a2274cb138a166", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 23184, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "467408fbc87ec3dc27b0182784d7ffd46e3ff63e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 23184, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 23184 tcp \u00b7 via HTTP:23184 \u00b7 (sonde \/ probe)", "target_port_label": "23184 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 23184, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 23184, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 23184 tcp \u00b7 via HTTP:23184 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "23184 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "23184" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:36:35 UTC	TCP	8251 · HTTP	http	Scan de ports port scan syn · via HTTP:8251 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8251 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8251 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8251 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "fb39e613d8c38ebb4d93a27e696e253e0bde26b4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.097379032547585, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8251, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e6317d1024632c38e0a01325832d2151c3f38ddd", "event_fingerprint": "2ab21f649e641342b89846f00c1f6b359b9d3f32", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "4f7865e1411d194c6446861ee6ad2f8d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8251, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2085a4285c64ec388f6763347c77dc093bf77dc2", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8251, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8251 \u00b7 (reconnaissance)", "target_port_label": "8251 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8251, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8251, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8251 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8251\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8251 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8251" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 5989, 8251, 12206, 19000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:36:03 UTC	TCP	5989 · HTTP	http	Scan de ports port scan syn · via HTTP:5989 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5989 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5989 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5989 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "92dc0f0eefcc7864639804ffad975503f4cebbe1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5989, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e637d5448030c4f65cd4c23778500f8d9522a3b0", "event_fingerprint": "9942dc5f2f641de418bf87e8244334a17f728e72", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "bcb9a7fb9845f776d97cb6c693f3efdd", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5989, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3ef2bfd2ae80a4f330f0c3a5b573a9958e54815", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5989, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:5989 \u00b7 (reconnaissance)", "target_port_label": "5989 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5989, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5989, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:5989 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5989\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5989 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5989" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 5989, 12206, 19000, 21253 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:35:58 UTC	TCP	12206 · HTTP	http	Scan de ports port scan syn · via HTTP:12206 · (reconnaissance)	Élevée	Moyen · 43
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12206 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +6 Risque capteur Moyen · 43 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12206 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12206 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "2b179879fbfb09dd5ba0c16d36d992302d9348d3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.088435611388687, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12206, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a3bb6768d34e248232320dd801781d89ab2bbb04", "event_fingerprint": "e502c208c46bd87b4cfa9acda9ee055248831980", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d93a368868cccec0c28ad32c63c56b9a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12206, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5556a48d9042ef2fac4625f4555ba31ad4ced084", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12206, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:12206 \u00b7 (reconnaissance)", "target_port_label": "12206 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne multi-ports", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43, "correlation_boost": 6 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12206, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports" ], "correlation_flags_labels_fr": [ "Campagne multi-ports" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12206, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:12206 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12206\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12206 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +6 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12206" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 12206, 12341, 19000, 21253 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 2, "behavior_priority": 84 }
15/06/2026 10:35:38 UTC	TCP	19000 · HTTP	http	Scan de ports port scan syn · via HTTP:19000 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19000 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "c22e863873e2289dccf99007d8922e9e1d2a1151", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.107855699635443, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 19000, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "bc78670ad3a352d8547f26df1d70d4dc1fabc3b0", "event_fingerprint": "937507b113c4f47174d2eaace174e43cc6d63273", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c104f2b855121bcf1b6e27409a53f565", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 19000, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75290f9bc5564c99bd5a13d8509e018eb7f85f05", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 19000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port scan syn \u00b7 via HTTP:19000 \u00b7 (reconnaissance)", "target_port_label": "19000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19000, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 19000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:19000 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "19000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:35:19 UTC	TCP	21253 · HTTP	http	Sonde port 21253/TCP port 21253 tcp · via HTTP:21253 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 21253 Chemin / cible / Preuve honeypot — Sonde port 21253/TCP Connexion détectée sur le port 21253 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_21253_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21253 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:21253 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "3205e9cbcbb01553916c56283d91e02a93589a21", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.072350387058072, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 21253, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "9c61747098e6ae49bce639780839a0e44872a7c2", "event_fingerprint": "4b99020507f20795d30b1899c9efc94d7bb80e91", "classification_reason": "Type \u00ab port_21253_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "4b61b4cf834bfb7db43fb5cf4ef5eafc", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 21253, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_21253_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b0b50b7b1ea13faf426553f0e133514349e2f45f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21253, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 21253 tcp \u00b7 via HTTP:21253 \u00b7 (sonde \/ probe)", "target_port_label": "21253 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_21253_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_21253_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 21253, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 21253, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 21253 tcp \u00b7 via HTTP:21253 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21253\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "21253 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "21253" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:34:58 UTC	TCP	12341 · HTTP	http	Sonde port 12341/TCP port 12341 tcp · via HTTP:12341 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12341 Chemin / cible / Preuve honeypot — Sonde port 12341/TCP Connexion détectée sur le port 12341 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12341_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12341 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12341 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8e365384d5c42f095ccad88a72c3e56f20be32d8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.09357090051905, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12341, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "abec836d8e1d29eb7bab665e9aa951ae57b764ca", "event_fingerprint": "b13eee516429c1ff23b0a821b3d91f36f7ac1760", "classification_reason": "Type \u00ab port_12341_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "3570c9b51ab683b76a1dc4fda42f9a2e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12341, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12341_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55e1486a5f1fbfd9e8cf3dfbc0a640feabe447ef", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12341, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12341 tcp \u00b7 via HTTP:12341 \u00b7 (sonde \/ probe)", "target_port_label": "12341 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12341_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12341_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12341, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12341, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12341 tcp \u00b7 via HTTP:12341 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12341\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12341 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12341" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:33:28 UTC	TCP	9080 · HTTP	http	Sonde port 9080/TCP port 9080 tcp · via HTTP:9080 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible / Preuve honeypot — Sonde port 9080/TCP Connexion détectée sur le port 9080 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9080_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9080 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9080 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "619292ecb05b33d53073614c09ef5a4ed42429f0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9080, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "69bcf362ee7eb4a99c592be1fba0e51c54474630", "event_fingerprint": "61865969d96150e256d39c83a8c1dbfe97517f54", "classification_reason": "Type \u00ab port_9080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "440399770573e0e29f735a60bfd0c357", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0b9ed8de6e92c1921cb8f6c8ec1c35add1dfebf6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9080 tcp \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe)", "target_port_label": "9080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9080 tcp \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:28:18 UTC	TCP	2570 · HTTP	http	Sonde port 2570/TCP port 2570 tcp · via HTTP:2570 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2570 Chemin / cible / Preuve honeypot — Sonde port 2570/TCP Connexion détectée sur le port 2570 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2570_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2570 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2570 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "9b8477f956aa1f7e139f7d5cdb3e09ce07aee270", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2570, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "6b95c2cb453c6f6945c85950df490faf6ffb672c", "event_fingerprint": "5c04fc1995d07fead2bb18137d9925c4d53d8d0e", "classification_reason": "Type \u00ab port_2570_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "af2472a2ec3b2499cb8568d5655d7346", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2570, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2570_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fad85c90638f4a084f4a0186170386fa35ccd14", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2570, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2570 tcp \u00b7 via HTTP:2570 \u00b7 (sonde \/ probe)", "target_port_label": "2570 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2570_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2570_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2570, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2570, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2570 tcp \u00b7 via HTTP:2570 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2570\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2570 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2570" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:26:39 UTC	TCP	9084 · HTTP	http	Sonde port 9084/TCP port 9084 tcp · via HTTP:9084 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9084 Chemin / cible / Preuve honeypot — Sonde port 9084/TCP Connexion détectée sur le port 9084 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9084_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "31d506f3312da05b8dc782f30767fab4ec643e60", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.143645385302128, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9084, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2620cb269bf3de38d085862989b9c158099404ea", "event_fingerprint": "1d446bcbef4a806a8af6c08d54451fd69356e43e", "classification_reason": "Type \u00ab port_9084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2ca797cceeb00f40299d8c1606940d56", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9084, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90b1efe85c84e2b64e86700c980555895feeb89a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9084, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9084 tcp \u00b7 via HTTP:9084 \u00b7 (sonde \/ probe)", "target_port_label": "9084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9084, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9084, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9084 tcp \u00b7 via HTTP:9084 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9084" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:25:29 UTC	TCP	4646 · HTTP	http	Scan de ports port scan syn · via HTTP:4646 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4646 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4646 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4646 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "46a9b2ce10e9d611ee86e145e07ad2eb86ad6ce6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 4646, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "00d13e6b6b24f0f4529c9cfb237c8b0b13fbdf06", "event_fingerprint": "a6956ffa4c7ad51266857cbcbb7bbd49d9a5fa55", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "10c3a48966a9096610c58f2e1dacaaf7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4646, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d16dc75bc1960e19d54b8b9ae9feb5ab499b8d8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 4646, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:4646 \u00b7 (reconnaissance)", "target_port_label": "4646 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4646, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 4646, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:4646 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4646\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "4646 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4646" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:24:43 UTC	TCP	3156 · HTTP	http	Scan de ports port scan syn · via HTTP:3156 · (reconnaissance)	Élevée	Moyen · 43
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3156 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 43 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3156 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3156 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "1b2142e9aa910d77cfeb2acac24e8c59eb5e4937", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.081183635447583, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3156, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 1, "campaign_key": "950354794db128abbd4bbc4384164ee514fe93a7", "event_fingerprint": "b37aeb88b07f4210e978bb48e6d1837234faf73d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f5b9d16b5a8e806f6c6bf97109ba8abe", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3156, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44095eaa118ce05a7366b2c4e49e0c0259a8512e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3156, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:3156 \u00b7 (reconnaissance)", "target_port_label": "3156 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 43 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3156, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3156, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:3156 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3156\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3156 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3156" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:24:35 UTC	TCP	12508 · HTTP	http	Sonde port 12508/TCP port 12508 tcp · via HTTP:12508 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12508 Chemin / cible / Preuve honeypot — Sonde port 12508/TCP Connexion détectée sur le port 12508 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12508_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12508 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12508 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "af6c368d5d3c35be13039f898bd91280c2e55eab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.107855699635443, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12508, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b7065d9b7f70a106a512243892b1554f20334cc8", "event_fingerprint": "9d602c0e519a60a4a5429411dabbd286717ddb21", "classification_reason": "Type \u00ab port_12508_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5877378ac0a8bfbf59e2c7cd7d556432", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12508, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12508_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e1c4133375e68089aba5f0af55ccf1fbfa6a8ddb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12508, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12508 tcp \u00b7 via HTTP:12508 \u00b7 (sonde \/ probe)", "target_port_label": "12508 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12508_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12508_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12508, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12508, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12508 tcp \u00b7 via HTTP:12508 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12508\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12508 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12508" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:24:28 UTC	TCP	8822 · HTTP	http	Sonde port 8822/TCP port 8822 tcp · via HTTP:8822 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8822 Chemin / cible / Preuve honeypot — Sonde port 8822/TCP Connexion détectée sur le port 8822 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8822_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8822 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8822 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cf6d187d1889911b391cb6550f41fa644865be5b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.096695022478339, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8822, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "84fc1b2f233f2bf00e0755b07fe28e3bfeedf324", "event_fingerprint": "2c151e490524989c6d6b42d056c847727557fd2c", "classification_reason": "Type \u00ab port_8822_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f79378c4441fcca3a42bfc996dd64ab8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8822, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8822_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2433e923d5ffb6cbfba2350677932b6551a3c1f1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8822, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8822 tcp \u00b7 via HTTP:8822 \u00b7 (sonde \/ probe)", "target_port_label": "8822 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8822_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8822_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8822, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8822, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8822 tcp \u00b7 via HTTP:8822 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8822\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8822 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8822" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:20:12 UTC	TCP	1110 · HTTP	http	Sonde port 1110/TCP port 1110 tcp · via HTTP:1110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1110 Chemin / cible / Preuve honeypot — Sonde port 1110/TCP Connexion détectée sur le port 1110 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_1110_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1110 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1110 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f467d15de80c803720c0947535567d0e1bb61709", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.0778259299977675, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 1110, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "dc0de1d389c1a9d59735e18cd71b89e175611d49", "event_fingerprint": "6ca2d57c470f561680757ec761f26e7e321c831d", "classification_reason": "Type \u00ab port_1110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f0a64438fdfdaafcbc5f049fa19712b2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1110, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_1110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87a1be0d94bd628a5576b65ea351840b17154985", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1110, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 1110 tcp \u00b7 via HTTP:1110 \u00b7 (sonde \/ probe)", "target_port_label": "1110 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_1110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_1110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1110, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1110, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 1110 tcp \u00b7 via HTTP:1110 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "1110 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:18:44 UTC	TCP	17775 · HTTP	http	Sonde port 17775/TCP port 17775 tcp · via HTTP:17775 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible / Preuve honeypot — Sonde port 17775/TCP Connexion détectée sur le port 17775 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_17775_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:17775 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:17775 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "b94ec14826617cd0dd884dd18cd79e58b898a7c9", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.111190563551587, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 17775, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "49b7002f638dd5bdb8ad20e5fc05fdc1cad995c1", "event_fingerprint": "cc97668a717b2706a2bd3dc72e78aa51115f1b08", "classification_reason": "Type \u00ab port_17775_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "41d9545dbb75ede1357d2c1290a0fbc7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_17775_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "70b02b03c881ed3d404d2f76925d3411fccc8e26", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 17775 tcp \u00b7 via HTTP:17775 \u00b7 (sonde \/ probe)", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_17775_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_17775_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 17775 tcp \u00b7 via HTTP:17775 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17775\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:17:47 UTC	TCP	5231 · HTTP	http	Sonde port 5231/TCP port 5231 tcp · via HTTP:5231 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5231 Chemin / cible / Preuve honeypot — Sonde port 5231/TCP Connexion détectée sur le port 5231 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5231_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5231 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5231 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cefb65ae20d160c86ad52aa12c94c3488c3e83b6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.072655467654182, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5231, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "4e3e6465c2030e7a67148cbd81aeda1dd925e0ba", "event_fingerprint": "ebfff55df28821ae7032111a2983bf1de661269f", "classification_reason": "Type \u00ab port_5231_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "e1536ccdd9fb6905bf727e8285eac40a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5231, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5231_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a92cab7d8762741ef5b0c4909e6c804addb2954", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5231, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5231 tcp \u00b7 via HTTP:5231 \u00b7 (sonde \/ probe)", "target_port_label": "5231 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5231_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5231_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5231, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5231, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5231 tcp \u00b7 via HTTP:5231 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5231\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5231 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5231" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }

34.79.151.177

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence