Renseignement sur les menaces

Belgique

34.79.151.177

FAI Google LLC Première vue 18/05/2026 06:07 UTC Dernière vue 16/06/2026 07:32 UTC Risque Critique

Période analysée : 2026-06-09 → 2026-06-16

Activité suspecte · risque 38/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 85/100 Critique

Première observation 18/05/2026 06:07 UTC

Dernière observation 16/06/2026 07:32 UTC

Événements (période) 67

MITRE ATT&CK principal TA0007 130 occurrences

Activité suspecte · risque 38/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_10243_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 32 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.79.144.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 67 événements sur la période pour cette IP.

34.62.36.252 Sonde port 18038/TCP 16/06/2026 07:33 UTC
34.53.192.169 Scan de ports 16/06/2026 07:33 UTC
34.14.117.1 Sonde port 2111/TCP 16/06/2026 07:33 UTC
34.38.195.167 Scan de ports 16/06/2026 07:32 UTC
147.185.133.173 Scanner web 16/06/2026 07:32 UTC
35.241.166.201 Sonde port 12272/TCP 16/06/2026 07:32 UTC
34.79.87.63 Sonde port 8869/TCP 16/06/2026 07:32 UTC
34.62.40.111 Sonde port 21515/TCP 16/06/2026 07:30 UTC

Événements (filtres)

Première observation

18/05/2026 06:07 UTC

Dernière observation

16/06/2026 07:32 UTC

Dernière activité (filtres)

16/06/2026 07:32 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 63 KERBEROS TCP 1 MYSQL TCP 1 POSTGRES TCP 1 I2P ROUTER TCP 1

HTTP

KERBEROS

MYSQL

POSTGRES

I2P ROUTER

Géolocalisation

Origine réseau déclarée

Belgique unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 598 Port 16000 port_16000_tcp

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

port 10243 tcp · via HTTP:10243 · (sonde / probe)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: python-requests/2.32.5

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:10243 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connect

Port / service

10243 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

55%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

67 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

67 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 07:32:27 UTC	TCP	16000 · HTTP	http	Sonde port 16000/TCP port 16000 tcp · via HTTP:16000 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16000 Chemin / cible / Preuve honeypot — Sonde port 16000/TCP Connexion détectée sur le port 16000 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16000_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "df6a9a23ad00869325eeea4bedc221a0f1cb60de", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.094250257458573, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16000, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "606321afc2185cb5f1749e9a6e9d7dfac5ad627d", "event_fingerprint": "2b467531ccefb2b969df40b10dfa6ca58e5ecdc1", "classification_reason": "Type \u00ab port_16000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6a3cbf132dd30a298f7b2c3b19063ee0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16000, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "811ba5871c9dbf9dddfd28e876d7e41be99b45e6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16000, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16000 tcp \u00b7 via HTTP:16000 \u00b7 (sonde \/ probe)", "target_port_label": "16000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16000, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16000, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16000 tcp \u00b7 via HTTP:16000 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16000 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
16/06/2026 07:31:14 UTC	TCP	5271 · HTTP	http	Sonde port 5271/TCP port 5271 tcp · via HTTP:5271 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5271 Chemin / cible / Preuve honeypot — Sonde port 5271/TCP Connexion détectée sur le port 5271 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5271_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5271 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5271 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a9d3c7f2c0730791959e54d59c8df66f51ec22d1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.097379032547585, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5271, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "85f15a9eddab4fe4ab26e78bf2a1e9182fc9023b", "event_fingerprint": "5fc3cf6012fe9afae51ad8f3ab6d7a7ecfbf0234", "classification_reason": "Type \u00ab port_5271_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "8cd36d2f69540c1e34a701818af7cab3", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5271, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5271_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "467fb99f84263ffa5e6ef69a0882c27f720a8c65", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5271, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5271 tcp \u00b7 via HTTP:5271 \u00b7 (sonde \/ probe)", "target_port_label": "5271 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5271_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5271_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5271, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5271, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5271 tcp \u00b7 via HTTP:5271 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5271\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5271 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5271" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
16/06/2026 07:30:43 UTC	TCP	12164 · HTTP	http	Sonde port 12164/TCP port 12164 tcp · via HTTP:12164 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12164 Chemin / cible / Preuve honeypot — Sonde port 12164/TCP Connexion détectée sur le port 12164 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12164_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12164 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12164 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d7d7ef52aaf8500352f7cfb4c122d27953ce9e75", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.1045208357193, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12164, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "70b84bed7b57af2e282f67d3d60cb37e0e96158d", "event_fingerprint": "7499ef7b2e42a2681909c28d26847f3efd29f2e7", "classification_reason": "Type \u00ab port_12164_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "deaf2dcbe1ff4a495f7507d91dcd2c2b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12164, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12164_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e78903b008466faa175324022d91ef1ff3fce03", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12164, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12164 tcp \u00b7 via HTTP:12164 \u00b7 (sonde \/ probe)", "target_port_label": "12164 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12164_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12164_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12164, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12164, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12164 tcp \u00b7 via HTTP:12164 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12164\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12164 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12164" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
16/06/2026 07:24:42 UTC	TCP	10243 · HTTP	http	Sonde port 10243/TCP port 10243 tcp · via HTTP:10243 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10243 Chemin / cible / Preuve honeypot — Sonde port 10243/TCP Connexion détectée sur le port 10243 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_10243_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10243 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10243 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "93c1b683bd084f30372db6da23c5def5302536f4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.102041053565556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 10243, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "0e9ad6474fb576b26041af63bfac9597de1a2eae", "event_fingerprint": "3990cae8fffdbe66845badd6b382c2411a3a6cb7", "classification_reason": "Type \u00ab port_10243_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "302a4919b45fa4e332c7698e14f64348", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10243, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_10243_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9ef4e639ab5affbf1c2624ca1c45366e6fd9a6b7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10243, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 10243 tcp \u00b7 via HTTP:10243 \u00b7 (sonde \/ probe)", "target_port_label": "10243 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_10243_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_10243_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10243, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10243, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 10243 tcp \u00b7 via HTTP:10243 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10243\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "10243 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10243" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
16/06/2026 07:12:01 UTC	TCP	8575 · HTTP	http	Sonde port 8575/TCP port 8575 tcp · via HTTP:8575 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8575 Chemin / cible / Preuve honeypot — Sonde port 8575/TCP Connexion détectée sur le port 8575 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8575_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8575 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8575 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d5667348204d04a272d429aef58e3caa2384f632", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.116248125028156, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8575, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "7227a889f86c2f5938d89158b7bddddc03f063d5", "event_fingerprint": "4de542560813f18ab397ee44e08f66a1ad521d08", "classification_reason": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2fcca623a56f0250264a035bf7e01265", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8575, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a0716916367e05265edc9beb116f55cfdd734dcc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8575, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8575 tcp \u00b7 via HTTP:8575 \u00b7 (sonde \/ probe)", "target_port_label": "8575 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8575_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8575, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8575, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8575 tcp \u00b7 via HTTP:8575 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8575\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8575 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8575" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
16/06/2026 07:02:53 UTC	TCP	9043 · HTTP	http	Sonde port 9043/TCP port 9043 tcp · via HTTP:9043 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9043 Chemin / cible / Preuve honeypot — Sonde port 9043/TCP Connexion détectée sur le port 9043 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9043_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9043 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9043 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "90eaf61b8da1d16bf3de0d42e105776258f54afc", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.118921820408727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9043, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "824835b3a8d23e233fb8fd5e0eb415cf3a819b12", "event_fingerprint": "2859284075c189a51ed2ca85b156411e7cd5ec97", "classification_reason": "Type \u00ab port_9043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "69c987f38e686f0c085b7ca33c7e1d6c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9043, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e2811c2b3c1c902f89047cb6f42e821c3b6ae96a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9043, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9043 tcp \u00b7 via HTTP:9043 \u00b7 (sonde \/ probe)", "target_port_label": "9043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9043_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9043, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9043, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9043 tcp \u00b7 via HTTP:9043 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9043\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9043" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
16/06/2026 05:05:05 UTC	TCP	5433 · POSTGRES	postgres	Sonde PostgreSQL postgresql probe · via POSTGRES:5433 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Handshake PostgreSQL (startup) Émulateur POSTGRES WAF — Recommandation Surveiller Tags net_postgresql_probe postgres_emulated postgres_startup Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5433 Chemin / cible — Service POSTGRES Payload �/ Pourquoi cette classification : Type « postgresql_probe » (signaux protocolaires) · confiance 60% Confiance classification 60% Risque capteur Moyen · 45 Confiance : Confiance 60 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0636 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Postgres alt port scan User-Agent — Règles WAF — Payload (extrait) �/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "0000001252000000057573657200706f73746772657300", "emulator_response_len": 23, "bytes_in": 8, "payload_entropy": 2.4056390622295662, "port_category": "registered", "org": "Google LLC", "service": "postgres", "app_proto": "postgres", "asn": 396982, "country": "BE", "dst_port": 5433, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4634dcae6ee3e1b240a2790abb196f3d7404eb8b", "event_fingerprint": "24862287862c600a66dac19863a96685a49e8e17", "classification_reason": "Type \u00ab postgresql_probe \u00bb (signaux protocolaires) \u00b7 confiance 60%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 67, "precision_signals": [ "pat-0636", "INT-upstream" ], "kb_rule_ids": [ "pat-0636", "INT-upstream" ], "matched_patterns": [ "pat-0554", "pat-0636" ], "matched_pattern_names": [ "Minecraft varint handshake", "Postgres alt port scan" ], "pattern_ids": [ "pat-0554", "pat-0636" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "postgres", "risk_confidence_factor": 60, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "694bec2754742b999eb8e010ccd19ce8", "path_pattern_hash": "2e6f775d89e58a7f725edffbb3ac7743" }, "target_context": { "dst_port": 5433, "service": "postgres", "service_name": "postgres", "risk_score": 45 }, "payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "request_sample": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "payload_snippet": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "evidence": { "request_sample": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "payload_snippet": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "classification_reason": "Type \u00ab postgresql_probe \u00bb (signaux protocolaires) \u00b7 confiance 60%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce58c384f379d001a2936336fad8bb63902f5c95", "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "port": 5433, "service": "postgres", "service_label_fr": "POSTGRES" }, "evidence_snippet": "\ufffd\/", "attack_vector": "postgresql probe \u00b7 via POSTGRES:5433 \u00b7 (sonde \/ probe)", "target_port_label": "5433 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 60 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgresql_probe \u00bb (signaux protocolaires) \u00b7 confiance 60%", "classification_reason_label_fr": "Type \u00ab postgresql_probe \u00bb (signaux protocolaires) \u00b7 confiance 60%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 60, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "postgres", "service_label_fr": "POSTGRES", "dst_port": 5433, "protocol_emulated": true, "tags_summary": [ "pat-0636", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0636", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-postgres", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "postgres_startup_fr": "Handshake PostgreSQL (startup)", "payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/", "port": 5433, "service": "postgres", "service_label_fr": "POSTGRES" }, "attack_vector": "postgresql probe \u00b7 via POSTGRES:5433 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\/", "target_port_label": "5433 \u00b7 POSTGRES", "emulator_service": "postgres", "confidence_reason": "Confiance 60 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "postgres", "service_banner": "honeypot-postgres", "service_os": "linux", "dst_port": "5433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_postgresql_probe", "postgres_emulated", "postgres_startup" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 12:00:40 UTC	TCP	8062 · HTTP	http	Scan de ports port scan syn · via HTTP:8062 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8062 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8062 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8062 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "1fe7ea73e050eb7ab384980868000760aff069d4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.107719957234756, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8062, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 1, "campaign_key": "dbda29f4d28c2edf39e520a683802ae3be4380df", "event_fingerprint": "25814c5ce5980384a877f177b99a74aa9ae91901", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "09a041f2979cb1543aae11701886ff0c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8062, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0b49d3c7f7cf9f7f1a63fcd4ea6b84de1c829e4a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8062, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:8062 \u00b7 (reconnaissance)", "target_port_label": "8062 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 42 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8062, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8062, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8062 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8062 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8062" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 12:00:37 UTC	TCP	3030 · HTTP	http	Sonde port 3030/TCP port 3030 tcp · via HTTP:3030 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3030 Chemin / cible / Preuve honeypot — Sonde port 3030/TCP Connexion détectée sur le port 3030 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3030_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3030 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3030 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "84c2c0dcf1358c41c4494b8d54c203d2fb6899e2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.073339477723427, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3030, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "eff2cfc2fc31bd5644fe67b861554f6feeede029", "event_fingerprint": "05120417f48aa33f5e4af98b47f977073ef78871", "classification_reason": "Type \u00ab port_3030_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "69d800e2b4f238b6c1113ddbd87bce03", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3030, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3030_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "226e29ed02c1d334b13d772fb39f65d4e98c1b9f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3030, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3030 tcp \u00b7 via HTTP:3030 \u00b7 (sonde \/ probe)", "target_port_label": "3030 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3030_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3030_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3030, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3030, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3030 tcp \u00b7 via HTTP:3030 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3030\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3030 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3030" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:59:44 UTC	TCP	6581 · HTTP	http	Sonde port 6581/TCP port 6581 tcp · via HTTP:6581 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6581 Chemin / cible / Preuve honeypot — Sonde port 6581/TCP Connexion détectée sur le port 6581 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_6581_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6581 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6581 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "8554b939d950cad1b9dbf00d409b9cc96b821ae0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.105907200340986, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 6581, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c699b0fa0728ffdb3896e2f1d8a6971bdc804602", "event_fingerprint": "b173b2eb678ec7e4d555a5bec4c19948d3eee588", "classification_reason": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "fd454b7d6eecda32f72f65473527ae97", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6581, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3eb4af79ba01ea0fb6a149b829bcd5db376c7937", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 6581, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 6581 tcp \u00b7 via HTTP:6581 \u00b7 (sonde \/ probe)", "target_port_label": "6581 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_6581_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6581, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 6581, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 6581 tcp \u00b7 via HTTP:6581 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6581\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "6581 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6581" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:59:09 UTC	TCP	8573 · HTTP	http	Sonde port 8573/TCP port 8573 tcp · via HTTP:8573 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8573 Chemin / cible / Preuve honeypot — Sonde port 8573/TCP Connexion détectée sur le port 8573 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8573_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8573 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8573 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cc9c557073ff7b44bc143f854d537d06ae71c372", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.113751358065142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8573, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "1b3cf0e09172fcc838cfe97c9de8924ad4a77d05", "event_fingerprint": "90ba53c9d8681ad8a161bdeaba49e99ad776febe", "classification_reason": "Type \u00ab port_8573_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "e72eacf46f66f2d1b37998ba088b490f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8573, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8573_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6da792052ac783f14295c511129b5c4a550d4e6a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8573, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8573 tcp \u00b7 via HTTP:8573 \u00b7 (sonde \/ probe)", "target_port_label": "8573 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8573_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8573_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8573, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8573, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8573 tcp \u00b7 via HTTP:8573 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8573\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8573 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8573" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:56:12 UTC	TCP	2087 · HTTP	http	Sonde port 2087/TCP port 2087 tcp · via HTTP:2087 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2087 Chemin / cible / Preuve honeypot — Sonde port 2087/TCP Connexion détectée sur le port 2087 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2087_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2087 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2087 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f632b4de18b92074e4c6a166d9c86de50717ec9c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2087, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "859af6e3689e5266f328e9aa910131927518c8c6", "event_fingerprint": "30df77face6ffcbfcaa254e1d821da4cf2a734c8", "classification_reason": "Type \u00ab port_2087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c0a1efa38fa64b283a4120c0b30dab09", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2087, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ee5994b5074c377c62710ceeac01e24453e8be8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2087, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2087 tcp \u00b7 via HTTP:2087 \u00b7 (sonde \/ probe)", "target_port_label": "2087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2087_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2087, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2087, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2087 tcp \u00b7 via HTTP:2087 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2087\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:53:54 UTC	TCP	221 · HTTP	http	Sonde port 221/TCP port 221 tcp · via HTTP:221 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 221 Chemin / cible / Preuve honeypot — Sonde port 221/TCP Connexion détectée sur le port 221 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_221_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:221 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connectio Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:221 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "87f055b8b8a45e589971e766ee0f31f05dcec388", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 145, "payload_entropy": 5.067138056795566, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 221, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "14b98d2cffec638f8c4e224b5877d3d79090b552", "event_fingerprint": "52730dee69792187ea2023b15446576b2cc4cf4c", "classification_reason": "Type \u00ab port_221_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "11374b62f5edd2eb8f9c18aac5aa1311", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 221, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "classification_reason": "Type \u00ab port_221_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f6481f5fb568278917ebd4f5b17c40f04f4e913", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 221, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "attack_vector": "port 221 tcp \u00b7 via HTTP:221 \u00b7 (sonde \/ probe)", "target_port_label": "221 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_221_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_221_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 221, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 221, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 221 tcp \u00b7 via HTTP:221 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnectio", "target_port_label": "221 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "221" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:53:38 UTC	TCP	9445 · HTTP	http	Sonde port 9445/TCP port 9445 tcp · via HTTP:9445 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9445 Chemin / cible / Preuve honeypot — Sonde port 9445/TCP Connexion détectée sur le port 9445 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9445_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9445 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9445 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "767ef3739fbd350f04b111f6b957b5ed557c8407", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9445, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "6d4e1a9ce7776bca8105754a2c749eaf39b089f7", "event_fingerprint": "86966c40ba3fede3cfb562db2a49ecf05dd12917", "classification_reason": "Type \u00ab port_9445_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6377e2d6efcfc2c2c308ba73e16e4df3", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9445, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9445_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dbf1e3018b517d61d1e9f02c84c46777b52fc773", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9445, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9445 tcp \u00b7 via HTTP:9445 \u00b7 (sonde \/ probe)", "target_port_label": "9445 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9445_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9445_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9445, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9445, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9445 tcp \u00b7 via HTTP:9445 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9445\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9445 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:52:28 UTC	TCP	12311 · HTTP	http	Sonde port 12311/TCP port 12311 tcp · via HTTP:12311 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12311 Chemin / cible / Preuve honeypot — Sonde port 12311/TCP Connexion détectée sur le port 12311 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12311_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12311 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12311 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "3b9dfde69c32b984c9c12c9219acb4eee261ebee", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.069015523141929, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12311, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c35614337578b469a3e239dc6b4b03c0a1b51a56", "event_fingerprint": "765d85c79079a07e9ddabc6627d632a680ba958b", "classification_reason": "Type \u00ab port_12311_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5db71d6aa83f70a5923db0a4b84b3e2b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12311, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12311_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "241384dff86478b9ce3f72019701cc1cc6ab0d5b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12311, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12311 tcp \u00b7 via HTTP:12311 \u00b7 (sonde \/ probe)", "target_port_label": "12311 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12311_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12311_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12311, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12311, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12311 tcp \u00b7 via HTTP:12311 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12311 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12311" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "i2p-router" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:48:41 UTC	TCP	18003 · HTTP	http	Sonde port 18003/TCP port 18003 tcp · via HTTP:18003 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18003 Chemin / cible / Preuve honeypot — Sonde port 18003/TCP Connexion détectée sur le port 18003 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_18003_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18003 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18003 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "299d3b0474740cb68a5dc8eb5b6ce14673840f8a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.105375917481701, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 18003, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b625ec451efa500a65c32319150e4a34a11fde7e", "event_fingerprint": "1b92dc562f2f28dccc52b7d1b6cf8d92bdfe9cea", "classification_reason": "Type \u00ab port_18003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "6679642eee8f0a50db287b4418b11c12", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18003, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_18003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de30cbcce0e53a1fd9e86e3be3e4bf56be807c73", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18003, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 18003 tcp \u00b7 via HTTP:18003 \u00b7 (sonde \/ probe)", "target_port_label": "18003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_18003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_18003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18003, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18003, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 18003 tcp \u00b7 via HTTP:18003 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18003\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "18003 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "i2p-router" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:48:07 UTC	TCP	7657 · I2P ROUTER	i2p-router	Sonde I2P i2p probe · via I2P ROUTER:7657 · (sonde / probe)	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur I2P-ROUTER WAF — Recommandation Surveiller Tags http_get_probe i2p_router_emulated i2p_router_payload net_i2p_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7657 Chemin / cible — Service I2P ROUTER Payload GET / HTTP/1.1 Host: 62.3.50.33:7657 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Pourquoi cette classification : Type « i2p_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 4 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7657 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7657 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000010000000000000000000000000", "emulator_response_len": 16, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "i2p-router", "app_proto": "i2p-router", "asn": 396982, "country": "BE", "dst_port": 7657, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6b825118fa6970d53240647d7b9c41f15da40e3f", "event_fingerprint": "25b3b55ddc8ede9f93f90f1cadb11050918e5788", "classification_reason": "Type \u00ab i2p_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "i2p-router", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f538463aca772428ee0734de73c73671", "path_pattern_hash": "63fac6162f0d2de1da7489cc7f99c131" }, "target_context": { "dst_port": 7657, "service": "i2p-router", "service_name": "i2p-router", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab i2p_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "680284b4c5577d6c7f19f14b4f060b4169a01fab", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 7657, "service": "i2p-router", "service_label_fr": "I2P ROUTER" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "i2p probe \u00b7 via I2P ROUTER:7657 \u00b7 (sonde \/ probe)", "target_port_label": "7657 \u00b7 I2P ROUTER", "emulator_service": "i2p-router", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab i2p_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab i2p_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "i2p-router", "service_label_fr": "I2P ROUTER", "dst_port": 7657, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-i2p-router", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "port": 7657, "service": "i2p-router", "service_label_fr": "I2P ROUTER" }, "attack_vector": "i2p probe \u00b7 via I2P ROUTER:7657 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7657\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "7657 \u00b7 I2P ROUTER", "emulator_service": "i2p-router", "confidence_reason": "Confiance 0 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "i2p_router", "service_banner": "honeypot-i2p-router", "service_os": "linux", "dst_port": "7657" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "i2p-router" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "i2p_router_emulated", "i2p_router_payload", "net_i2p_probe" ], "asn_dc_heuristic": true }
15/06/2026 11:45:33 UTC	TCP	3410 · HTTP	http	Sonde port 3410/TCP port 3410 tcp · via HTTP:3410 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3410 Chemin / cible / Preuve honeypot — Sonde port 3410/TCP Connexion détectée sur le port 3410 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3410_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3410 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3410 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "fe9c9e5268edfd09b16b3b058513839b390bcc92", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.100052727928154, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3410, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c9111449a9ebf2bc04ab30284772a415afb52a6b", "event_fingerprint": "e1d04d24aa27c9b46b40a4ce651349da7a885393", "classification_reason": "Type \u00ab port_3410_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c355b64be1f8a44d41b374636523e952", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3410, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3410_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d99e88c9ccf8557a9ebacc33fe8e836e95b6203f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3410, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3410 tcp \u00b7 via HTTP:3410 \u00b7 (sonde \/ probe)", "target_port_label": "3410 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3410_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3410_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3410, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3410, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3410 tcp \u00b7 via HTTP:3410 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3410\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3410 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3410" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:42:37 UTC	TCP	16010 · HTTP	http	Sonde port 16010/TCP port 16010 tcp · via HTTP:16010 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16010 Chemin / cible / Preuve honeypot — Sonde port 16010/TCP Connexion détectée sur le port 16010 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16010_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16010 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16010 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "1cd2744106700ab51749a7c0080ba4d56bc0cbc6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.094250257458573, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16010, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "7d4df2fbc6f1d17454c03e12e98c266e349f1bb7", "event_fingerprint": "b2e07cdb958b18fd76da4c2826993ae15435453f", "classification_reason": "Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "92ed57092039d9111c396bf281eef8c0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16010, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "49e554d7c46be605ec6264f42bbdd8296287f687", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16010, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16010 tcp \u00b7 via HTTP:16010 \u00b7 (sonde \/ probe)", "target_port_label": "16010 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16010_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16010, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16010, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16010 tcp \u00b7 via HTTP:16010 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16010\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16010 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16010" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:37:13 UTC	TCP	3510 · HTTP	http	Sonde port 3510/TCP port 3510 tcp · via HTTP:3510 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3510 Chemin / cible / Preuve honeypot — Sonde port 3510/TCP Connexion détectée sur le port 3510 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3510_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3510 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3510 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "7181750b9e4b481196ddadeb0b413e215fae78da", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.081183635447583, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3510, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "13199edb79a8a674cb624cf8f458cdf41fb2e6ca", "event_fingerprint": "f916d53234cc470b4ae5ee391e0346eeb8ef79d4", "classification_reason": "Type \u00ab port_3510_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "77ce12852b1016727e63bc573ff68e2e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3510, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3510_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bcac3efec44efe5fc4ced1f8285d82aad4b08f63", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3510, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3510 tcp \u00b7 via HTTP:3510 \u00b7 (sonde \/ probe)", "target_port_label": "3510 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3510_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3510_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3510, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3510, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3510 tcp \u00b7 via HTTP:3510 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3510\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3510 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3510" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:31:16 UTC	TCP	97 · HTTP	http	Sonde port 97/TCP port 97 tcp · via HTTP:97 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 97 Chemin / cible / Preuve honeypot — Sonde port 97/TCP Connexion détectée sur le port 97 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_97_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:97 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:97 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5197e3d643b6e38626394631e6cfe8b7665d482d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 144, "payload_entropy": 5.109215561564733, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 97, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "83b6c6a27ed8cd3feb45fb9071a7b989c64e1213", "event_fingerprint": "b23365e78af76c05a9a1777392bdae53fdcbf4b2", "classification_reason": "Type \u00ab port_97_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "31b974a903eadac6ba68d2ec5f7508b1", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 97, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "classification_reason": "Type \u00ab port_97_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "65b7598e644391a21e868240286346230bd2947c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 97, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "attack_vector": "port 97 tcp \u00b7 via HTTP:97 \u00b7 (sonde \/ probe)", "target_port_label": "97 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_97_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_97_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 97, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 97, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 97 tcp \u00b7 via HTTP:97 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:97\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "target_port_label": "97 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "97" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:30:25 UTC	TCP	2130 · HTTP	http	Sonde port 2130/TCP port 2130 tcp · via HTTP:2130 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2130 Chemin / cible / Preuve honeypot — Sonde port 2130/TCP Connexion détectée sur le port 2130 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_2130_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2130 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2130 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cfdda82dd8781055f6a04bb4610a34eeb7bca533", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.0778259299977675, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 2130, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "f2b56dadc1a95c4e85217cece6625cf00cf3f26f", "event_fingerprint": "05d3871f328617693387af16168642b8f9fa0db5", "classification_reason": "Type \u00ab port_2130_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "f47bc524adf01beece7a723ee37862a6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2130, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_2130_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d2b6c65883e959f777f048ab9e933a86a5c7177", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2130, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 2130 tcp \u00b7 via HTTP:2130 \u00b7 (sonde \/ probe)", "target_port_label": "2130 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_2130_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_2130_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2130, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 2130, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 2130 tcp \u00b7 via HTTP:2130 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2130\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "2130 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2130" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:25:22 UTC	TCP	9152 · HTTP	http	Sonde port 9152/TCP port 9152 tcp · via HTTP:9152 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9152 Chemin / cible / Preuve honeypot — Sonde port 9152/TCP Connexion détectée sur le port 9152 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9152_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9152 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9152 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "36f0498c01641ba2149d8e3ad8a9182e69630ab8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.097379032547585, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9152, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c23a2e2aa5055105b884547ea9712ece5a739d62", "event_fingerprint": "febf19e14fe4ec55e536d2a68328037c3f362db3", "classification_reason": "Type \u00ab port_9152_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c6071d428ba6c950ade29eb1a04b42fa", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9152, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9152_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93aadba882b2cc321a3f0466e1012da1e2c453f9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9152, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9152 tcp \u00b7 via HTTP:9152 \u00b7 (sonde \/ probe)", "target_port_label": "9152 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9152_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9152_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9152, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9152, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9152 tcp \u00b7 via HTTP:9152 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9152\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9152 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9152" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:24:55 UTC	TCP	18068 · HTTP	http	Sonde port 18068/TCP port 18068 tcp · via HTTP:18068 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18068 Chemin / cible / Preuve honeypot — Sonde port 18068/TCP Connexion détectée sur le port 18068 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_18068_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18068 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18068 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "230a9b6e76edf198db32534239f7dd3ca83371fe", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.121461141812316, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 18068, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "fbf7f2ebd43c229d7cbedb3bc811b2753b5224c6", "event_fingerprint": "d5461879ff9c858c35e8d056a1e7163c482e8976", "classification_reason": "Type \u00ab port_18068_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d2ee80790fda0e3de4c3195e2b9989e4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18068, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_18068_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28cc07c8bf4abf348fa0d73f5bd088840488cf4e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18068, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 18068 tcp \u00b7 via HTTP:18068 \u00b7 (sonde \/ probe)", "target_port_label": "18068 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_18068_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_18068_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18068, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18068, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 18068 tcp \u00b7 via HTTP:18068 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18068\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "18068 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18068" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:23:55 UTC	TCP	1013 · HTTP	http	Sonde port 1013/TCP port 1013 tcp · via HTTP:1013 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1013 Chemin / cible / Preuve honeypot — Sonde port 1013/TCP Connexion détectée sur le port 1013 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_1013_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1013 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1013 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "3a72842db821b965a85652510fb03ee4a13a55cb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.0778259299977675, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 1013, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "8294a24d59322dde889d7d8174897c8698033041", "event_fingerprint": "adb1d3d06ab1b0be351703b00f46471f11abc07f", "classification_reason": "Type \u00ab port_1013_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "9d86feb7ff97e7e0ed32b20a1571efc2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1013, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_1013_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ccd213bf805645093569ceaa83e8071f6f9815ce", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1013, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 1013 tcp \u00b7 via HTTP:1013 \u00b7 (sonde \/ probe)", "target_port_label": "1013 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_1013_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_1013_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1013, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 1013, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 1013 tcp \u00b7 via HTTP:1013 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1013\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "1013 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1013" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:23:25 UTC	TCP	8848 · HTTP	http	Sonde port 8848/TCP port 8848 tcp · via HTTP:8848 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8848 Chemin / cible / Preuve honeypot — Sonde port 8848/TCP Connexion détectée sur le port 8848 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8848_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8848 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8848 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "de1a8c7e81b18f9a9a5f297d5b7d4c7045e2674f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8848, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b492143513b59cab08a80884e530b7a7a410a83b", "event_fingerprint": "1b122e4b46d7b058523d1946049b0e527f692602", "classification_reason": "Type \u00ab port_8848_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "b2989e761139da6632bb713b3fdab16f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8848, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8848_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b406ef0bc08eb42c7a46b5dcef00b4d90a64140", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8848, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8848 tcp \u00b7 via HTTP:8848 \u00b7 (sonde \/ probe)", "target_port_label": "8848 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8848_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8848_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8848, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8848, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8848 tcp \u00b7 via HTTP:8848 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8848\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8848 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8848" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 2, "behavior_priority": 72 }
15/06/2026 11:20:28 UTC	TCP	3541 · HTTP	http	Sonde port 3541/TCP port 3541 tcp · via HTTP:3541 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3541 Chemin / cible / Preuve honeypot — Sonde port 3541/TCP Connexion détectée sur le port 3541 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3541_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3541 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3541 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "bbf3847167b1a2674fc541e6603fa4217338b826", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094882265584569, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 3541, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "cd7cd834a811858602f81aab47f2edf36b0684ea", "event_fingerprint": "ad5ca72d56c56cf2589ce43c7365c78a78d5ea3d", "classification_reason": "Type \u00ab port_3541_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "2c4dd0505a6152e9385e2f2676ac7831", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3541, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_3541_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6e2658b180ae93aa1b9fb270dc9e98c55b98ef75", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3541, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 3541 tcp \u00b7 via HTTP:3541 \u00b7 (sonde \/ probe)", "target_port_label": "3541 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3541_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3541_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3541, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 3541, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3541 tcp \u00b7 via HTTP:3541 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3541\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "3541 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3541" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:19:09 UTC	TCP	8167 · HTTP	http	Sonde port 8167/TCP port 8167 tcp · via HTTP:8167 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8167 Chemin / cible / Preuve honeypot — Sonde port 8167/TCP Connexion détectée sur le port 8167 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8167_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8167 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8167 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "521c86f1f9cd4ef549c757c5addb1be8dd1b9558", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8167, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "2bd574423bac9be10c5545fc637b1da92d0a146f", "event_fingerprint": "5dbf2b76b51bdadfe11be5db2dea5b17fcac8dfc", "classification_reason": "Type \u00ab port_8167_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "ea3dc65cc92f2b3e24d55e7573963b61", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8167, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8167_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d512df7d399e2e2a5a5c6d55500f22d85d3ba507", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8167, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8167 tcp \u00b7 via HTTP:8167 \u00b7 (sonde \/ probe)", "target_port_label": "8167 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8167_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8167_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8167, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8167, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8167 tcp \u00b7 via HTTP:8167 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8167\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8167 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8167" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:18:38 UTC	TCP	12319 · HTTP	http	Sonde port 12319/TCP port 12319 tcp · via HTTP:12319 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12319 Chemin / cible / Preuve honeypot — Sonde port 12319/TCP Connexion détectée sur le port 12319 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_12319_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12319 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:12319 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "47c75b9fb4ddcd499fbc1c81dad1f1312de4602d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.09357090051905, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 12319, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "488dc0341cf14cff18b4c3ff0f59eead9a9cd084", "event_fingerprint": "5cb09b2285b36c86ebc58d5ca81bc114ed969b76", "classification_reason": "Type \u00ab port_12319_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "bf6cc4eba25c9712d0ae6397a5c8cc78", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12319, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_12319_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a3a3d81db234316870d08218c8f5ef28e61dad9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12319, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 12319 tcp \u00b7 via HTTP:12319 \u00b7 (sonde \/ probe)", "target_port_label": "12319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_12319_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_12319_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12319, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 12319, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 12319 tcp \u00b7 via HTTP:12319 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12319\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "12319 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12319" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:15:29 UTC	TCP	9186 · HTTP	http	Sonde port 9186/TCP port 9186 tcp · via HTTP:9186 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9186 Chemin / cible / Preuve honeypot — Sonde port 9186/TCP Connexion détectée sur le port 9186 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9186_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9186 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9186 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "a5d6923a6cdebc39eeb14d77b93aad0b6893cf46", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9186, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "aa8b9fcd205f1c38f0c361492ebd3fc026c4d48f", "event_fingerprint": "c1fc7929f4845f88c5f129990326c82ed68feb4b", "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "524b32e88c7754781369a1b7fb3412d9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9186, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e23a206082640d6b7f464453d1fb312a1e70f8e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9186, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 9186 tcp \u00b7 via HTTP:9186 \u00b7 (sonde \/ probe)", "target_port_label": "9186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9186_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9186, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9186, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9186 tcp \u00b7 via HTTP:9186 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9186\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9186 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9186" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:13:44 UTC	TCP	28017 · HTTP	http	Sonde port 28017/TCP port 28017 tcp · via HTTP:28017 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible / Preuve honeypot — Sonde port 28017/TCP Connexion détectée sur le port 28017 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_28017_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28017 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:28017 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "f6f10f81c6b0e62a7d97bf9d7a2fb3e11f56b5bd", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.126596430942677, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 28017, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "25a2a2a21d9e51a847b85b25e4792b50d46d3350", "event_fingerprint": "e90b7319220c01c657341d9435bbe5b022cfa4e6", "classification_reason": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "51a7bc5fc96faad218591b8931dc07ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "20de07b3eba31cd9c48776ce27feb8f9d06f553b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 28017 tcp \u00b7 via HTTP:28017 \u00b7 (sonde \/ probe)", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_28017_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 28017 tcp \u00b7 via HTTP:28017 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28017\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:09:14 UTC	TCP	10205 · HTTP	http	Sonde port 10205/TCP port 10205 tcp · via HTTP:10205 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10205 Chemin / cible / Preuve honeypot — Sonde port 10205/TCP Connexion détectée sur le port 10205 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_10205_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10205 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10205 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "870dce7c1087253c320adce74b0aa4af7af8ff03", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.089114968328208, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 10205, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5091ffcdc154e796ea60a718b82a1e3322b205ab", "event_fingerprint": "8941002d5c431568cc9194a1e0ff234c146d5e9c", "classification_reason": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "90925aa04369759fcf1b09b7db5af839", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10205, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e0c7b72e833e32df3ad343c5c4563358e99157a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10205, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 10205 tcp \u00b7 via HTTP:10205 \u00b7 (sonde \/ probe)", "target_port_label": "10205 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_10205_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10205, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 10205, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 10205 tcp \u00b7 via HTTP:10205 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10205\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "10205 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10205" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:06:31 UTC	TCP	9082 · HTTP	http	Scan de ports port scan syn · via HTTP:9082 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0043 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9082 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "0fe40ab70afe675223d923f1cb4a4eb33854af7a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 9082, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 44, "tag_count": 4, "anomaly_count": 1, "campaign_key": "414119e58a10b16d507f63953d201f915322c0b9", "event_fingerprint": "2e38907e79c656013ee36456a9f6870118c4c25b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "5e00e103173ff3367cdfa8a1eae2cbf9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9082, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "338c894cae847b431074f406780baf27aeaaaf3a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9082, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port scan syn \u00b7 via HTTP:9082 \u00b7 (reconnaissance)", "target_port_label": "9082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 44 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9082, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 9082, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9082 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "9082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:06:00 UTC	TCP	5246 · HTTP	http	Sonde port 5246/TCP port 5246 tcp · via HTTP:5246 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5246 Chemin / cible / Preuve honeypot — Sonde port 5246/TCP Connexion détectée sur le port 5246 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5246_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5246 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5246 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "e398efbc621bbfb5a20ccb13b83c2662d4dfaa7a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5246, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b1325dabf2828bc7811f5332a7ef1200a699ffaf", "event_fingerprint": "947ba1e5b1e69d034d015d539976710c9de501e5", "classification_reason": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "53389bec203bb3ec20a3b558b164d48d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5246, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9806c2fa731a714e7223126bdac415bf1b41632a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5246, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5246 tcp \u00b7 via HTTP:5246 \u00b7 (sonde \/ probe)", "target_port_label": "5246 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5246_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5246, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5246, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5246 tcp \u00b7 via HTTP:5246 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5246\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5246 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5246" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:05:41 UTC	TCP	5500 · HTTP	http	Sonde port 5500/TCP port 5500 tcp · via HTTP:5500 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5500 Chemin / cible / Preuve honeypot — Sonde port 5500/TCP Connexion détectée sur le port 5500 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5500_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5500 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5500 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d5ab7fa32d29570115e28396cdbd8369873b3cf0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.0836804024105975, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5500, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "4dd0db472d1eb5b0fddcac2248181138b69acf0c", "event_fingerprint": "9b3a4e8b3a6712530cdd56226d5f6883334bb230", "classification_reason": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cb4e3523a4d95f49bce78912ac5ef808", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5500, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3ce54f89813e58173e51955bd4ac0eb641140e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5500, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5500 tcp \u00b7 via HTTP:5500 \u00b7 (sonde \/ probe)", "target_port_label": "5500 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5500_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5500, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5500, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5500 tcp \u00b7 via HTTP:5500 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5500\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5500 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5500" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:04:13 UTC	TCP	16084 · HTTP	http	Sonde port 16084/TCP port 16084 tcp · via HTTP:16084 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16084 Chemin / cible / Preuve honeypot — Sonde port 16084/TCP Connexion détectée sur le port 16084 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16084_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16084 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "e4ab5a33d23a41dc629cb3bbbe70dfca8195d3b4", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.135066583989185, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16084, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "7708e5f04573d506d199e979ad4fc681e6e155d5", "event_fingerprint": "cf67387f82b2e9c4b05fa5d2b420b5476154ee72", "classification_reason": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "3a77cc59ec1a0f63d9ded0d70b610a00", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16084, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ebb4ca4a4d07e8f7b55242c15f2bd4ec269c059", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16084, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16084 tcp \u00b7 via HTTP:16084 \u00b7 (sonde \/ probe)", "target_port_label": "16084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16084_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16084, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16084, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16084 tcp \u00b7 via HTTP:16084 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16084\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16084" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 11:02:31 UTC	TCP	8029 · HTTP	http	Sonde port 8029/TCP port 8029 tcp · via HTTP:8029 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8029 Chemin / cible / Preuve honeypot — Sonde port 8029/TCP Connexion détectée sur le port 8029 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8029_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8029 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8029 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5b13defe117186e4a1c5b832de4de9174465c300", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.121418587371742, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8029, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "5ebd29178718dd4fbff4022cbfcd0bb6e894bcbb", "event_fingerprint": "18d0437aa9e9a8677630eedee8ebbef73b72f1c5", "classification_reason": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "b3e01838a083bc1a15952c13ec6451a6", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8029, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95ce79cac16cf33e9bc6e9bedec2ff08b05aee91", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8029, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8029 tcp \u00b7 via HTTP:8029 \u00b7 (sonde \/ probe)", "target_port_label": "8029 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8029_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8029, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8029, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8029 tcp \u00b7 via HTTP:8029 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8029\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8029 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8029" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 11:01:22 UTC	TCP	8008 · HTTP	http	Sonde port 8008/TCP port 8008 tcp · via HTTP:8008 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8008 Chemin / cible / Preuve honeypot — Sonde port 8008/TCP Connexion détectée sur le port 8008 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8008_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.111077662684571, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8008, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "753a881df9b8677b76444edb8fa5d5fcb063f324", "event_fingerprint": "3f7a78bbd783cb6e677f8fa91167c9c1845d1d91", "classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "3a4f3033561765a1e9c4a7e5edd7a68f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8008, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "61c01547d97e663217550356f64f503ff31e7c1b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8008 tcp \u00b7 via HTTP:8008 \u00b7 (sonde \/ probe)", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8008, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8008 tcp \u00b7 via HTTP:8008 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 10:58:46 UTC	TCP	7403 · HTTP	http	Sonde port 7403/TCP port 7403 tcp · via HTTP:7403 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7403 Chemin / cible / Preuve honeypot — Sonde port 7403/TCP Connexion détectée sur le port 7403 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_7403_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7403 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7403 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "3571f43733b6532de4007d53aa227ab3a9a3e3c3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.118921820408727, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 7403, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "786a1fec3563fd4b5fffbb3e868bc12866438c86", "event_fingerprint": "ec44033dba96ee153d340f490907844f66fe6faa", "classification_reason": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "4bc11ee04a38f7efe23f3e6d117c13be", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7403, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46bcad90795901ff7436a59b298c9885788c285e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7403, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 7403 tcp \u00b7 via HTTP:7403 \u00b7 (sonde \/ probe)", "target_port_label": "7403 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_7403_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7403, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 7403, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 7403 tcp \u00b7 via HTTP:7403 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7403\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "7403 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7403" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:58:32 UTC	TCP	18065 · HTTP	http	Sonde port 18065/TCP port 18065 tcp · via HTTP:18065 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18065 Chemin / cible / Preuve honeypot — Sonde port 18065/TCP Connexion détectée sur le port 18065 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_18065_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18065 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:18065 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "af9be5badc9c5e9d46eed960b054f19d5e20c974", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.116325852681951, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 18065, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "b5c822fb5ef6938e8d60c8a79b4894baff5370ab", "event_fingerprint": "ab6b980208a5075999cb372113f5da614e25b7ee", "classification_reason": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "770a309b80360ee19fa8817cf70fb52b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18065, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "decae96d3a0288ddc6c97ee6ee11695e3fbe36cf", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18065, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 18065 tcp \u00b7 via HTTP:18065 \u00b7 (sonde \/ probe)", "target_port_label": "18065 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_18065_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18065, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 18065, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 18065 tcp \u00b7 via HTTP:18065 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18065\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "18065 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18065" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:52:39 UTC	TCP	16101 · HTTP	http	Sonde port 16101/TCP port 16101 tcp · via HTTP:16101 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16101 Chemin / cible / Preuve honeypot — Sonde port 16101/TCP Connexion détectée sur le port 16101 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16101_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16101 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16101 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d810d7f123af62e9f5af89ffce54c688c1d4ef7e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.088435611388687, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16101, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e1969f813a9b37a896d6028b3a148606462f98f1", "event_fingerprint": "9ca86534d8db11c5666b1fefcaead6f9e9fdec8c", "classification_reason": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "cf101412780f316c271a83190ae828a7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16101, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "21ed88b805acf0423453bfede2d171a2df2582eb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16101, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16101 tcp \u00b7 via HTTP:16101 \u00b7 (sonde \/ probe)", "target_port_label": "16101 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16101_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16101, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16101, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16101 tcp \u00b7 via HTTP:16101 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16101\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16101 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16101" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:51:17 UTC	TCP	8852 · HTTP	http	Sonde port 8852/TCP port 8852 tcp · via HTTP:8852 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8852 Chemin / cible / Preuve honeypot — Sonde port 8852/TCP Connexion détectée sur le port 8852 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8852_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8852 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8852 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "5f22562223a3c629bf7275e6afccf0f6abce8015", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.1025494948911705, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8852, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c7027851ef0791e3c08e9ddb18a42ae9c9cc89ed", "event_fingerprint": "7a30a6bbc21df2772a4c27d9dedd22e8d2f0aff3", "classification_reason": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "47c55ff31e1aeedf8d509d41666cfe2a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8852, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dcbaf3e451661c04993a27e2b97e5174f3590a3c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8852, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8852 tcp \u00b7 via HTTP:8852 \u00b7 (sonde \/ probe)", "target_port_label": "8852 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8852_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8852, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8852, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8852 tcp \u00b7 via HTTP:8852 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8852\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8852 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8852" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:50:05 UTC	TCP	20182 · HTTP	http	Sonde port 20182/TCP port 20182 tcp · via HTTP:20182 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20182 Chemin / cible / Preuve honeypot — Sonde port 20182/TCP Connexion détectée sur le port 20182 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_20182_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20182 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20182 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "0abc9b7f2450bad5b31261d08cbb10b64f7228cc", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.102041053565556, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 20182, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "9734153f12d46fe2cb3870bc2027445b2a44c152", "event_fingerprint": "16e9a83cf3eec0fd256966ca14f915dc2f12ea2e", "classification_reason": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "0b12197bc26c7c7fccd14df008878766", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20182, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f500a96c9dcfa117995c6dc288673e441eedd45", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20182, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 20182 tcp \u00b7 via HTTP:20182 \u00b7 (sonde \/ probe)", "target_port_label": "20182 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_20182_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20182, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 20182, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 20182 tcp \u00b7 via HTTP:20182 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20182\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "20182 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20182" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:46:27 UTC	TCP	8112 · HTTP	http	Sonde port 8112/TCP port 8112 tcp · via HTTP:8112 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8112 Chemin / cible / Preuve honeypot — Sonde port 8112/TCP Connexion détectée sur le port 8112 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8112_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8112 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8112 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "d87c9eb95a0723896f979762e39c08249592bad6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094021327097768, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8112, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "385e7e02799731e55a0293b89bda963da30fdd46", "event_fingerprint": "0c7367b6ede38ab0f2e2fe34949721f46ab92b9b", "classification_reason": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "55bb0f5695a134b5c3201641216c7c26", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8112, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4d9c5a063671fe4b70390737c2916ee216070b25", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8112, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8112 tcp \u00b7 via HTTP:8112 \u00b7 (sonde \/ probe)", "target_port_label": "8112 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8112_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8112, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8112, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8112 tcp \u00b7 via HTTP:8112 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8112\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8112 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8112" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:43:39 UTC	TCP	16036 · HTTP	http	Sonde port 16036/TCP port 16036 tcp · via HTTP:16036 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 16036 Chemin / cible / Preuve honeypot — Sonde port 16036/TCP Connexion détectée sur le port 16036 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_16036_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16036 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:16036 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "65f4f1ac66a18640149fce5fdd6d3dfdab799c39", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.09177047530483, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 16036, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "25f6ca300654d04c1ac14c9ef2e6c34644fab2c3", "event_fingerprint": "f463fd97603fbaa82cc82699d58161468b7d7e8a", "classification_reason": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "c3ad1bae32e2640999f966c4f8ee4b79", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 16036, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "91fdcbd9d569933694459b544f3f3f6983b718b7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16036, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 16036 tcp \u00b7 via HTTP:16036 \u00b7 (sonde \/ probe)", "target_port_label": "16036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_16036_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 16036, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 16036, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 16036 tcp \u00b7 via HTTP:16036 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16036\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "16036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "16036" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "kerberos" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:42:54 UTC	TCP	8315 · HTTP	http	Sonde port 8315/TCP port 8315 tcp · via HTTP:8315 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8315 Chemin / cible / Preuve honeypot — Sonde port 8315/TCP Connexion détectée sur le port 8315 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8315_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8315 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8315 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "cda5e12821a0801e4561020ceca21579813cd0e3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094882265584569, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 8315, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "e4ee6aaf9adf41cdcd6cb0d5fddd8f178fdcf432", "event_fingerprint": "c261907cb7db5bcea93a9a5f3d3f4b08e8b5e7b9", "classification_reason": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "dcb4920ca2415a0a27c3eedae15184fb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8315, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4320b31daca8cbd022548a0dc524b30c10cf08dd", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8315, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 8315 tcp \u00b7 via HTTP:8315 \u00b7 (sonde \/ probe)", "target_port_label": "8315 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8315_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8315, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 8315, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8315 tcp \u00b7 via HTTP:8315 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8315\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "8315 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8315" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "kerberos" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:39:40 UTC	TCP	88 · KERBEROS	kerberos	kerberos kerberos · via KERBEROS:88 · (sonde / probe)	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur KERBEROS WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 88 Chemin / cible — Service KERBEROS Payload GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection Pourquoi cette classification : Type « kerberos » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:88 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "protocol_emulated": true, "emulator_response": "6e82000c0a104142434445464748494a", "emulator_response_len": 16, "bytes_in": 144, "payload_entropy": 5.095326672675844, "port_category": "well_known", "org": "Google LLC", "service": "kerberos", "app_proto": "kerberos", "asn": 396982, "country": "BE", "dst_port": 88, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 40, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8e9cb969ceab740c93efec9e791ca73d858fd046", "event_fingerprint": "31e4a798ccff9624b861a6d5c96061ad06a8a14c", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 40, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "kerberos", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "862c98f4f87aade808def214326da0d1", "path_pattern_hash": "d6f845779b5f0a377f3854eb15f1b5b6" }, "target_context": { "dst_port": 88, "service": "kerberos", "service_name": "kerberos", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "886a4e953728471245d0253c3df8c9b2c7efc1c1", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "port": 88, "service": "kerberos", "service_label_fr": "KERBEROS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "attack_vector": "kerberos \u00b7 via KERBEROS:88 \u00b7 (sonde \/ probe)", "target_port_label": "88 \u00b7 KERBEROS", "emulator_service": "kerberos", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 40, "protocol": 32, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "kerberos", "service_label_fr": "KERBEROS", "dst_port": 88, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-kerberos", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "port": 88, "service": "kerberos", "service_label_fr": "KERBEROS" }, "attack_vector": "kerberos \u00b7 via KERBEROS:88 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:88\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection", "target_port_label": "88 \u00b7 KERBEROS", "emulator_service": "kerberos", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kerberos", "service_banner": "honeypot-kerberos", "service_os": "linux", "dst_port": "88" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "kerberos" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ], "asn_dc_heuristic": true }
15/06/2026 10:39:19 UTC	TCP	5089 · HTTP	http	Sonde port 5089/TCP port 5089 tcp · via HTTP:5089 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5089 Chemin / cible / Preuve honeypot — Sonde port 5089/TCP Connexion détectée sur le port 5089 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5089_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5089 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5089 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "dc7bc0302a32528383c37d758790ae6af84dd352", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.124776292821557, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5089, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "a1b326a47ff210dc048f8541f646b10b0b55543d", "event_fingerprint": "2669fa775dd319fd1948871042c28d31462a94f5", "classification_reason": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "be9e1acddfc69f7d82103683fd36148f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5089, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2981d713069fd073d26690619a3648abacb8593f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5089, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5089 tcp \u00b7 via HTTP:5089 \u00b7 (sonde \/ probe)", "target_port_label": "5089 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5089_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5089, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5089, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5089 tcp \u00b7 via HTTP:5089 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5089\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5089 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5089" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:38:25 UTC	TCP	5245 · HTTP	http	Sonde port 5245/TCP port 5245 tcp · via HTTP:5245 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5245 Chemin / cible / Preuve honeypot — Sonde port 5245/TCP Connexion détectée sur le port 5245 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_5245_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5245 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connecti Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5245 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "dc28fc4fcf7cbe002d56c5bd9ea44345a7eb3411", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.094021327097768, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 5245, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "817146a1c8bcd373bb5dc1d84f32c317efbdb033", "event_fingerprint": "a300a3bd63fb4644e532ebb4b1c042beac2e77f6", "classification_reason": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "d85bd5493e18720fcc0861c6d054ffa9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5245, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "classification_reason": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "826abf0878a20815fd184999b39146fe1cc895d1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5245, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "attack_vector": "port 5245 tcp \u00b7 via HTTP:5245 \u00b7 (sonde \/ probe)", "target_port_label": "5245 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5245_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5245, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 5245, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 5245 tcp \u00b7 via HTTP:5245 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5245\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnecti", "target_port_label": "5245 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5245" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }
15/06/2026 10:37:27 UTC	TCP	23184 · HTTP	http	Sonde port 23184/TCP port 23184 tcp · via HTTP:23184 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA python-requests/2.32.5 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23184 Chemin / cible / Preuve honeypot — Sonde port 23184/TCP Connexion détectée sur le port 23184 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_23184_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent python-requests/2.32.5 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:23184 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connect Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:23184 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43", "http_host_hash": "628e474ed30883e5359a37cfca895f69b638bcb0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 147, "payload_entropy": 5.1156464957424275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "BE", "dst_port": 23184, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 5.7, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "0f99f8f20def58b66017be320130df9da3f0319d", "event_fingerprint": "a43584be358e4b33a7ec270c14426052f49902ca", "classification_reason": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BE", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f712d38ba9b9c286c823406aa572410d", "payload_hash": "ee5f9d8a3ec4ad9e19a2274cb138a166", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 23184, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "evidence": { "method": "GET", "path": "\/", "user_agent": "python-requests\/2.32.5", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "classification_reason": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "467408fbc87ec3dc27b0182784d7ffd46e3ff63e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 23184, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "attack_vector": "port 23184 tcp \u00b7 via HTTP:23184 \u00b7 (sonde \/ probe)", "target_port_label": "23184 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_23184_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 20, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 23184, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "python-requests\/2.32.5", "port": 23184, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 23184 tcp \u00b7 via HTTP:23184 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23184\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnect", "target_port_label": "23184 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "23184" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "asn_dc_heuristic": true }

34.79.151.177

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence