|
|
TCP |
12577 · HTTP
|
http
|
Sonde port 12577/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12577
Chemin / cible
/
Preuve honeypot — Sonde port 12577/TCP
Connexion détectée sur le port 12577 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12577_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Risque capteur
Faible
· 38
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12577
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12577 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "e2f60467ce9e8513378f2a60cf5c685113340587",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.107855699635443,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12577,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "afb6eb5f5e8fadca0a8cadfb508905dd26cd2070",
"event_fingerprint": "c964957b54ca1be6c7fac3f6bf3bf8ab6f37527e",
"classification_reason": "Type \u00ab port_12577_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "84c80cf7f6d3bac5736c6efa56254af1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12577,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12577\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12577\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12577\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12577\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12577\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12577_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b33cda9bb52b39a571f7692d3f1ab13762662270",
"site_display": {
"classification": "port_12577_tcp",
"confidence_pct": 55,
"confidence_breakdown": {
"classification": 0.55,
"kb_score": 0,
"rule_count": 0,
"payload_proof": false,
"pattern_proof": false,
"named_classification_skipped": true
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "http",
"dst_port": 12577,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"sensor_role": "threat_intelligence"
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12577"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
631 · IPP
|
ipp
|
ipp
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
631
Chemin / cible
—
Pourquoi cette classification : Type « ipp » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:631
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connectio
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:631 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742069707020726561647920706f72743d3633310d0a",
"emulator_response_len": 33,
"bytes_in": 145,
"payload_entropy": 5.075725039539267,
"port_category": "well_known",
"org": "Google LLC",
"service": "ipp",
"app_proto": "ipp",
"asn": 396982,
"country": "BE",
"dst_port": 631,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "69011159e0850c89ecd5e31c9df17e4ceadefd69",
"event_fingerprint": "0ff2363c0156fd28c9def3540d5e442f36179298",
"classification_reason": "Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "ipp",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2ab3796615946f751ed5d1072c539cc3",
"path_pattern_hash": "705e09bea990ea8643df74d79aabe770"
},
"target_context": {
"dst_port": 631,
"service": "ipp",
"service_name": "ipp",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"classification_reason": "Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2d2cbdb86a4bc6f3c516f00ccbb2f3f34d15d123",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ipp",
"service_banner": "honeypot-ipp",
"service_os": "linux",
"dst_port": "631"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2226 · HTTP
|
http
|
Sonde port 2226/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2226
Chemin / cible
/
Preuve honeypot — Sonde port 2226/TCP
Connexion détectée sur le port 2226 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2226_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2226
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2226 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "42c7ed8ec850fe78a88d908c0a60de2d1686c59f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.069981772273612,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 2226,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "3e42841e1926d7fc65a2cbb5c8392ca8587f1724",
"event_fingerprint": "93e34e5458997c39a3fb62001affad230856aef7",
"classification_reason": "Type \u00ab port_2226_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "8c7bbd86bc1ac78a2283e66927f3c237",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2226,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2226\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2226\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2226\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2226\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2226\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_2226_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "db00a5ec11ca4491610a7f0749fbd785ba143096",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2226"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
177 · HTTP
|
http
|
Sonde port 177/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
177
Chemin / cible
/
Preuve honeypot — Sonde port 177/TCP
Connexion détectée sur le port 177 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_177_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:177
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connectio
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:177 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "35def72dfb9b076fe79dbd3d4776154e9fb9664d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 145,
"payload_entropy": 5.100619111776762,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 177,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "d8f111206ed2e1aa3ceb0bccc4a056a7bb16a6c1",
"event_fingerprint": "3eaa6a784b225080e23d01a06cf1ed62df234f76",
"classification_reason": "Type \u00ab port_177_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "97f10e33d75fdea748c8f06b8b5b69f0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 177,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:177\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:177\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:177\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:177\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:177\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"classification_reason": "Type \u00ab port_177_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "63603d0ab91fe3dcadca9051803e9a9ee077249d",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "177"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
591 · HTTP
|
http
|
Sonde port 591/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
591
Chemin / cible
/
Preuve honeypot — Sonde port 591/TCP
Connexion détectée sur le port 591 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_591_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:591
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connectio
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:591 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "d63885d1f1b06da9a39b56d573e583c2216d3a11",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 145,
"payload_entropy": 5.095412991072187,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 591,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "698147b8d41b365e3564a90718ce59fe8b085d01",
"event_fingerprint": "1e7d365cc1f5089a65fcad7aa72675aa08f14799",
"classification_reason": "Type \u00ab port_591_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "60cd4961e57c4b68f7ab8e03f2a72b02",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 591,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:591\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:591\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:591\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:591\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:591\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"classification_reason": "Type \u00ab port_591_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "364340b43d20b1ea2393445faff2d44247991764",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "591"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
28015 · RUST GAME
|
rust-game
|
rust-game
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
28015
Chemin / cible
—
Pourquoi cette classification : Type « rust-game » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:28015
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:28015 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420727573745f67616d6520726561647920706f72743d32383031350d0a",
"emulator_response_len": 41,
"bytes_in": 147,
"payload_entropy": 5.107855699635443,
"port_category": "registered",
"org": "Google LLC",
"service": "rust-game",
"app_proto": "rust-game",
"asn": 396982,
"country": "BE",
"dst_port": 28015,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "bfc2977a260d56a890a649ef36e7a4492148244b",
"event_fingerprint": "81fb8171cb1f02e01806a21694c91838ba9f2c84",
"classification_reason": "Type \u00ab rust-game \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "rust-game",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "edac52e122529b15829c4818b20e8008",
"path_pattern_hash": "94b3bbabcef80343149ad1c130d091fc"
},
"target_context": {
"dst_port": 28015,
"service": "rust-game",
"service_name": "rust-game",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:28015\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab rust-game \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6f0d0bafec19690729cfbf6b757e8f7a9d2bb7a3",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rust_game",
"service_banner": "honeypot-rust-game",
"service_os": "linux",
"dst_port": "28015"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12425 · HTTP
|
http
|
Sonde port 12425/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12425
Chemin / cible
/
Preuve honeypot — Sonde port 12425/TCP
Connexion détectée sur le port 12425 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12425_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12425
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12425 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "a7dd4c1113a0a5d0f6e1f036d5347da743fcdc60",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.096905764435193,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12425,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "c60629394279b619234326ad5173ae3bbcd1e18c",
"event_fingerprint": "f69c1dab6a314722a267ac85f83f4dbbcd97c13d",
"classification_reason": "Type \u00ab port_12425_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "2755fabda612838af42aa058f4af1e5e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12425,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12425\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12425\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12425\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12425\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12425\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12425_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e858129b0ef2cbd8d326dc3c3e01580ca6507ed0",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12425"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5671 · AMQPS
|
amqps
|
amqps
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5671
Chemin / cible
—
Pourquoi cette classification : Type « amqps » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5671
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5671 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "414d515000000901010000000000000e000a000b000000000000000000",
"emulator_response_len": 29,
"bytes_in": 146,
"payload_entropy": 5.105907200340986,
"port_category": "registered",
"org": "Google LLC",
"service": "amqps",
"app_proto": "amqps",
"asn": 396982,
"country": "BE",
"dst_port": 5671,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "5cf25df63493f358429c4979b8e0bf450a1fd44f",
"event_fingerprint": "09548ae3c2bc240036d835433213a0d8e00504cd",
"classification_reason": "Type \u00ab amqps \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "amqps",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "820f76c8c9130b91ca27903742199504",
"path_pattern_hash": "ec9e0191cb7fb77f9a066c013e9899fb"
},
"target_context": {
"dst_port": 5671,
"service": "amqps",
"service_name": "amqps",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5671\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5671\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5671\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5671\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5671\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab amqps \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a4fd600bd67cc36bbcd21dd0f910e8d36caf00c0",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "amqps",
"service_banner": "honeypot-amqps",
"service_os": "linux",
"dst_port": "5671"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
3128 · HTTP
|
http
|
Sonde port 3128/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3128
Chemin / cible
/
Preuve honeypot — Sonde port 3128/TCP
Connexion détectée sur le port 3128 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_3128_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3128
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3128 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0004f205c8c9eec39df22e7d5c19060a1bc84a1b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.091524560134753,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3128,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "daa205146f6928c5f0419e473dfdab0411fbf022",
"event_fingerprint": "afd4be76ab2ca0e80d3d89fe282189f6c71e709e",
"classification_reason": "Type \u00ab port_3128_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "5a64571e9f589136c2b74b292d80799c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3128,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_3128_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0f3c1e2ba9ebc569217082854aa3a9d776f0e33e",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "3128"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9009 · CLICKHOUSE NATIVE
|
clickhouse-native
|
clickhouse probe
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
clickhouse_native_emulated
clickhouse_native_payload
http_get_probe
net_clickhouse_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9009
Chemin / cible
—
Pourquoi cette classification : Type « clickhouse_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9009
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9009 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "436c69636b486f757365207365727665722076657273696f6e2032342e332e312e0d0a",
"emulator_response_len": 35,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "clickhouse-native",
"app_proto": "clickhouse-native",
"asn": 396982,
"country": "BE",
"dst_port": 9009,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 24,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "0f796e094798a041cc1b3136accd8e21cc25194c",
"event_fingerprint": "a3cb4d107b5137f2b9397a7edc851a39fe91ed0c",
"classification_reason": "Type \u00ab clickhouse_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "clickhouse-native",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "637b19f7a94186381e012211f57ea696",
"path_pattern_hash": "a6f7713503e08b2580844867d22bf612"
},
"target_context": {
"dst_port": 9009,
"service": "clickhouse-native",
"service_name": "clickhouse-native",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9009\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab clickhouse_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dfd58358bdcb34a2e234eb68f37852d7b214f498",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "clickhouse_native",
"service_banner": "honeypot-clickhouse-native",
"service_os": "linux",
"dst_port": "9009"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"clickhouse_native_emulated",
"clickhouse_native_payload",
"http_get_probe",
"net_clickhouse_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
19000 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 44
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
19000
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:19000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:19000 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "c22e863873e2289dccf99007d8922e9e1d2a1151",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.107855699635443,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 19000,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 44,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "bc78670ad3a352d8547f26df1d70d4dc1fabc3b0",
"event_fingerprint": "937507b113c4f47174d2eaace174e43cc6d63273",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 44
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "c104f2b855121bcf1b6e27409a53f565",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 19000,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19000\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "75290f9bc5564c99bd5a13d8509e018eb7f85f05",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "19000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12413 · HTTP
|
http
|
Sonde port 12413/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12413
Chemin / cible
/
Preuve honeypot — Sonde port 12413/TCP
Connexion détectée sur le port 12413 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12413_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12413
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12413 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "2db5cb5a6723002e4ccdd70c729fb75ff5b29552",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.09357090051905,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12413,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "36795b892ce7b6048863c68ee5e2dfa62543bf06",
"event_fingerprint": "fec57e03582a4bcd4180619667c71ec09d71aafb",
"classification_reason": "Type \u00ab port_12413_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "346cd605ce467670ecc52f6eaa68bed3",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12413,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12413\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12413\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12413\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12413\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12413\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12413_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e223edd37fa3a0e4c62d663f39b0188e873c88ac",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12413"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9023 · HTTP
|
http
|
Sonde port 9023/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9023
Chemin / cible
/
Preuve honeypot — Sonde port 9023/TCP
Connexion détectée sur le port 9023 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9023_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9023
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9023 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "d0585015ebc20a3486bb04002f9602db0322437b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.096695022478339,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9023,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "d7ebe9315cbcdea4cc62cf78f2de529809a2c748",
"event_fingerprint": "766b964f298cfe12dd3f7e547ba410b32de3a7af",
"classification_reason": "Type \u00ab port_9023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "94e87bd4cebd3d3b611831416ee65478",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9023,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9023\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9023_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ad80522643bf8386a4078e627bdc76279c05b70b",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9023"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
3190 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 44
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3190
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3190
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3190 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "a556dc065875db421e80640089658792c12c346b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.100052727928154,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3190,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 44,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "9db2fbd078b6791d3c13db695c971d49a890fb0b",
"event_fingerprint": "2f44241724cf395f50d550776d1c04b4a7fe755b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 44
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "6dc6332077c4706ac61d85f3ba21f564",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3190,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3190\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3190\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3190\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3190\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3190\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b6cc75e5a4414d278181a6ea5c85c9a892e3fae0",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "3190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
17082 · HTTP
|
http
|
Sonde port 17082/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
17082
Chemin / cible
/
Preuve honeypot — Sonde port 17082/TCP
Connexion détectée sur le port 17082 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_17082_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:17082
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:17082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "72813ac546c14415a53a70fcc80b382993ce6aa6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.126596430942677,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 17082,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "7a66281dbcf14c0aa898c5fc8b1701334bb077fe",
"event_fingerprint": "3831aa92cbe4d1fb8dc25d70cbdcadb695b6c8b2",
"classification_reason": "Type \u00ab port_17082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "83d6a89d00734f0ad33c9647e31ecb85",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 17082,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:17082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_17082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a0dd4da985fad629ac5722afaa34a051ce973a08",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "17082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8165 · HTTP
|
http
|
Sonde port 8165/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8165
Chemin / cible
/
Preuve honeypot — Sonde port 8165/TCP
Connexion détectée sur le port 8165 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8165_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8165
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8165 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "ba0bb3ddc475637b28c30a96a742058b11df84cb",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.105907200340986,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8165,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "7fd31ee1f7035c3391bf4801d7f6bf34b59fc936",
"event_fingerprint": "b707a75ea0146554cf2f681801ef3794393a3369",
"classification_reason": "Type \u00ab port_8165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "4d2c1473bc8d2393295235fa6b1b2df2",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8165,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "438127415c95641c4e154f7be525f6c90c878da1",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8165"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9252 · HTTP
|
http
|
Sonde port 9252/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9252
Chemin / cible
/
Preuve honeypot — Sonde port 9252/TCP
Connexion détectée sur le port 9252 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9252_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9252
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9252 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "1fe226e8c56d8335a3c03e9febbb27724989e199",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.091524560134753,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9252,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "db332c393321b4163998040415bb9a6735f79c8f",
"event_fingerprint": "dbe835af8ebb2fc79ebcf23146863eb38ae626e4",
"classification_reason": "Type \u00ab port_9252_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "07082537149578c48cbe97fa63d4a915",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9252,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9252\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9252\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9252\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9252\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9252\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9252_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fbb3ae94a09d1283939ed8db4ec7f880d6f028b3",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9252"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2133 · HTTP
|
http
|
Sonde port 2133/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2133
Chemin / cible
/
Preuve honeypot — Sonde port 2133/TCP
Connexion détectée sur le port 2133 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2133_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2133
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2133 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0eb60bde85953dbe855d9356c5b889260c10c142",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.064811309930026,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 2133,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "c898acec0c538c7d3b1aff7afc4827a99867ba5f",
"event_fingerprint": "b25aa949a7e3b500030ac56a4d729c87b91a73bb",
"classification_reason": "Type \u00ab port_2133_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "0c1b7ee594cd0bc3317a0fb99830e9fa",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2133,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2133\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2133\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2133\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2133\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2133\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_2133_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "14601548ec947896ec788b1d95bae7e0e7d2ae19",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2133"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
10554 · HTTP
|
http
|
Sonde port 10554/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10554
Chemin / cible
/
Preuve honeypot — Sonde port 10554/TCP
Connexion détectée sur le port 10554 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_10554_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10554
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10554 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "7686dd4ed1b4361e4eb71f8a0cc854488736ddd0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.107855699635443,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 10554,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "6676c14bc8e1fc73aad4258536e2bbd5b4e4f731",
"event_fingerprint": "df840dcdc5b397b1a18257b8e722dd2a0b90d808",
"classification_reason": "Type \u00ab port_10554_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "b9f70cdd9c3ce5fe2ee602fe234ede65",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10554,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10554\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10554\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10554\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10554\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10554\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_10554_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bc94a4be6f4d816d9820b321dee1d83f1101de52",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10554"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12195 · HTTP
|
http
|
Sonde port 12195/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12195
Chemin / cible
/
Preuve honeypot — Sonde port 12195/TCP
Connexion détectée sur le port 12195 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12195_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12195
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12195 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "81c791dd6b2d9a35765c73f31ae3e3c8b31b56f7",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.099385546588937,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12195,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "1e7db769ab7b80fd4fd7316adf0dce05709e7727",
"event_fingerprint": "3a501a543204030285647b1df08239f6480b4608",
"classification_reason": "Type \u00ab port_12195_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "db83931c0711b6e8aa290113a3bc026f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12195,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12195\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12195\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12195\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12195\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12195\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12195_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f0747d5042edb2e32d14d03e35d50bc1aac1b854",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12195"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8173 · HTTP
|
http
|
Sonde port 8173/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8173
Chemin / cible
/
Preuve honeypot — Sonde port 8173/TCP
Connexion détectée sur le port 8173 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8173_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8173
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8173 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "80b98c4488d46a8ebd457a06bc3fe5ca6485d410",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.113751358065142,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8173,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "9d103520e1e134cdc5e79641a464b5d1f38253db",
"event_fingerprint": "8e4cbc6c3d6e4c554adcbfa60a2109c56b6c3a8f",
"classification_reason": "Type \u00ab port_8173_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "845918c2b8443902d06f5d830542d8a1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8173,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8173\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8173\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8173\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8173\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8173\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8173_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6c48a0706cdc25539b3cdd1576fbf5b9f6e1ed58",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8173"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
22705 · HTTP
|
http
|
Sonde port 22705/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
22705
Chemin / cible
/
Preuve honeypot — Sonde port 22705/TCP
Connexion détectée sur le port 22705 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_22705_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:22705
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:22705 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "c736ae537d821420b98b658262d8160cc0c573c4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.102041053565556,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 22705,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "44a8454ffa02a046063ec1dd4eb6ab6c2ea46a03",
"event_fingerprint": "5314fa5e2b76a739dae025018830e14e683f622e",
"classification_reason": "Type \u00ab port_22705_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "04ef051e48bb25c2fec4a4967bea69b3",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 22705,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22705\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22705\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22705\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22705\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22705\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_22705_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d930f45be7d37cec104d0d37fbb26bf8a409996a",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "22705"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
13333 · HTTP
|
http
|
Sonde port 13333/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
13333
Chemin / cible
/
Preuve honeypot — Sonde port 13333/TCP
Connexion détectée sur le port 13333 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_13333_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:13333
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:13333 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "db77e6dae74002e3b8644e7860a64bd4d8614d8c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.0534339309279614,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 13333,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "879e74c3c39df1843a61dd0eba81c919930fe69f",
"event_fingerprint": "f33242e4fe9cb653d14e77c7aa64e6d239815b4f",
"classification_reason": "Type \u00ab port_13333_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "c7d6a14fa61517253c8cbdb027c88db8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 13333,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13333\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13333\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13333\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13333\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13333\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_13333_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2469037d2c946e726f1c4749e186c7fb52830a27",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "13333"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8008 · HTTP
|
http
|
Sonde port 8008/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8008
Chemin / cible
/
Preuve honeypot — Sonde port 8008/TCP
Connexion détectée sur le port 8008 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_8008_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8008
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8008,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30
},
"risk_score": 38,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "753a881df9b8677b76444edb8fa5d5fcb063f324",
"event_fingerprint": "3f7a78bbd783cb6e677f8fa91167c9c1845d1d91",
"classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 30,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "3a4f3033561765a1e9c4a7e5edd7a68f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8008,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_8008_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "61c01547d97e663217550356f64f503ff31e7c1b",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8008"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
5900 · VNC
|
vnc
|
Sonde VNC
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
net_vnc_probe
vnc_emulated
vnc_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5900
Chemin / cible
—
Pourquoi cette classification : Type « vnc_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5900
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5900 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"bytes_in": 146,
"payload_entropy": 5.105907200340986,
"port_category": "registered",
"org": "Google LLC",
"service": "vnc",
"app_proto": "vnc",
"asn": 396982,
"country": "BE",
"dst_port": 5900,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 46,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 15
},
"risk_score": 34,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "cade66411501f77b17508083fe4f8c73edf8c179",
"event_fingerprint": "3a1818c09cc3b5e6ad75703011c0dde91c1bf15b",
"classification_reason": "Type \u00ab vnc_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 15,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "vnc",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b4b3fa623d5d3c566d62f09c2667e68c",
"path_pattern_hash": "61f146998107ee0d48dcdbbf16d99fc0"
},
"target_context": {
"dst_port": 5900,
"service": "vnc",
"service_name": "vnc",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5900\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5900\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5900\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5900\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5900\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab vnc_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ffa0345205440e7253fc29cb5319ba34a88f1b0b",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "vnc",
"service_banner": "honeypot-vnc",
"service_os": "linux",
"dst_port": "5900"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"net_vnc_probe",
"vnc_emulated",
"vnc_payload"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9119 · HTTP
|
http
|
Sonde port 9119/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9119
Chemin / cible
/
Preuve honeypot — Sonde port 9119/TCP
Connexion détectée sur le port 9119 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9119_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9119
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9119 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "51869f8a33ed47321991493e09aea24537877f25",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.1025494948911705,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9119,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "6673d755d3d72131c83f292513920677a65e1533",
"event_fingerprint": "e9dd52be24737736a55fd2f996d2a788e5daaec2",
"classification_reason": "Type \u00ab port_9119_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "b4536e5826b7efe75000afd41dcdacf8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9119,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9119\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9119\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9119\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9119\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9119\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9119_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8393791077e2b1d69d013b080d553a7ac62bd18c",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9119"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9773 · HTTP
|
http
|
Sonde port 9773/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9773
Chemin / cible
/
Preuve honeypot — Sonde port 9773/TCP
Connexion détectée sur le port 9773 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9773_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9773
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9773 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "451b6f4efd39a7a368d8700d887e8057a78615d3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.118921820408727,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9773,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "a45820a3337bbfa42f7b40342d76e1e9a5d4c8b4",
"event_fingerprint": "f0e64cd53dfc6e4cb2efd3da95de6856629d3f91",
"classification_reason": "Type \u00ab port_9773_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "f9b35038222f70159b9ad1d1909731a8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9773,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9773\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9773_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0cf9f2da41d676f938f72309309501a827a8dfca",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9773"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
3183 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 43
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3183
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3183
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3183 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "06a10267a69be2e5133ce2450d99e61d4cb77ea3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.0870381078604145,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3183,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 43,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "3be4ab5a84c3f4a44d8c69bbdd860f4c81dae873",
"event_fingerprint": "733e17d9d666b1672a2cee26850c3b2d96565ff1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 43
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "edcc13d29647274d0e7a6c92d85b94fc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3183,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3183\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "59f7f818d33054f9d9c3553dffdf3a2bb18ecd0a",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "3183"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12165 · HTTP
|
http
|
Sonde port 12165/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12165
Chemin / cible
/
Preuve honeypot — Sonde port 12165/TCP
Connexion détectée sur le port 12165 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12165_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12165
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12165 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "15099aba049f79d14b124e4292d3c58a709c57e8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.085780104412065,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12165,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "44c5568bda51dd7a8d60d1171358709a56d4df18",
"event_fingerprint": "a258ff398182c766c98f7bf4bafa2514567e051f",
"classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "dc15f0ec7f004ddc9ca2868f2bc475b5",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12165,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2a2399895848a1a4158187e618d9d08c049150e",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12165"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
16993 · HTTP
|
http
|
Sonde port 16993/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
16993
Chemin / cible
/
Preuve honeypot — Sonde port 16993/TCP
Connexion détectée sur le port 16993 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_16993_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:16993
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:16993 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "72527336106ae1a15384684942ea87a431e21082",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.110511206612064,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 16993,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "cc66f630935e63755c65ef5241d119950ea98204",
"event_fingerprint": "8dfa863959186ed150cf84814fe6c8c1e3b2dc55",
"classification_reason": "Type \u00ab port_16993_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "06900e1d39bdd791b1c66e7c1768bca7",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 16993,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16993\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16993\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16993\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16993\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:16993\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_16993_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "594d027d148555fe89c2c703ba227198080424b3",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "16993"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
311 · HTTP
|
http
|
Sonde port 311/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
311
Chemin / cible
/
Preuve honeypot — Sonde port 311/TCP
Connexion détectée sur le port 311 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_311_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:311
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connectio
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:311 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "06bcadc846b21ed383a2c38e245acadf517e9967",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 145,
"payload_entropy": 5.067138056795566,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 311,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "5d3576927224ca672ec5401e64ab3b4690115734",
"event_fingerprint": "c5386f708c68e0aed9d519a655f544135f7984e1",
"classification_reason": "Type \u00ab port_311_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "5d8b3cd3b5270b867752ea079ceb07ab",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 311,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:311\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnectio",
"classification_reason": "Type \u00ab port_311_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "13a9328856e357f269fdea76cf82d68713e59665",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "311"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
32764 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 44
|
|
Étape
Reconnaissance
Corrélations
Campagne ports
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
32764
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:32764
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:32764 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "4796727b92dc6815ce1dae9d7e2323dcca41ff8e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.120781784872791,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 32764,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 44,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "4477e31def16c0802db090ffd6d77837babd2b12",
"event_fingerprint": "5ca8647725ab9efe97990c400450a04be149479a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 44,
"correlation_boost": 6
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "3724523eadd3e7c6cccb65b15a8dee38",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 32764,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32764\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32764\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32764\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32764\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32764\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d9530c7b7337759ab698012141f7154830a9f0a2",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "32764"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 4,
"port_scan_ports_sample": [
2100,
9073,
9221,
32764
],
"behavior_alerts": [
"port_scan_campaign"
],
"correlation_confidence_boost": 6,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9221 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9221
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9221
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9221 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0f7ade2412d41ab1a110297bd122664baebd3a86",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.091524560134753,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9221,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "16c04dac3e161abfd5b5fca7ec067db35eb2c46a",
"event_fingerprint": "44a71d78143b1b737cc5cb04d5c9464b9665a289",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 42
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ef9f36f183227603ff1fc3f41226c17a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9221,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9221\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "13d4e8047520ecaaee6cfd05ad6627d513b547a4",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9221"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2100 · HTTP
|
http
|
Sonde port 2100/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2100
Chemin / cible
/
Preuve honeypot — Sonde port 2100/TCP
Connexion détectée sur le port 2100 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2100_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2100
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2100 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "75be1bfa36afbd295efe97e9ca6e16b96ea88292",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.0836804024105975,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 2100,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "03e6b1c437b36e467625e17a60ae78c3bfbf82b1",
"event_fingerprint": "ccee5c434be797945d2055e80b1635521d633b48",
"classification_reason": "Type \u00ab port_2100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "1af83b55f6c327a8f9dbeb54eef7493c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2100,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2100\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_2100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "07c7425395ddb6b66f6c5f5365adba32c6e2d7b4",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9073 · HTTP
|
http
|
Sonde port 9073/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9073
Chemin / cible
/
Preuve honeypot — Sonde port 9073/TCP
Connexion détectée sur le port 9073 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9073_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9073
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9073 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "a92394b70d3800092539266169de6f067ad8f292",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.118921820408727,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9073,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "f17233c66ba2acf51f210f3f60d7a965d37ee190",
"event_fingerprint": "e81baf4e178e9150026c866ec36351350fd18544",
"classification_reason": "Type \u00ab port_9073_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "ab5917c0f11d7af1c65201b44e6e32bc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9073,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9073\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9073\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9073\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9073\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9073\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9073_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ab7e556172a4e2edc29ee79051c7366bcfdb85d3",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9073"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
18062 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 43
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18062
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:18062
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:18062 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "2d390085d59f82bc8a33cf9f6945ef6b3d05bfc2",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.112990988765808,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 18062,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 43,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "9247194ea485f8795a24baf627b104c3c67bd070",
"event_fingerprint": "a06a148935ba393998a2d6c4d48f0a250f19a183",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 43
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "2b90c88435da3be337fbe28c40664a46",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 18062,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18062\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2840f8b6ac7158259abd551de6024a117600bfdd",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "18062"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9944 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 43
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9944
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9944
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9944 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "a7c19b2d0616534edf49afa5cf10ab29f7ea8060",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.129946755165142,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9944,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 43,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "a2f340b67d78097cc37f7a017fce614f7eabe9d6",
"event_fingerprint": "293f00f1f8b7c69f2dda0bd8cb61d87866f8153e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 43
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "7f79841650ebf54bf3f28af64014c1e2",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9944,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9944\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9944\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9944\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9944\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9944\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e4a508698c555b6c11aa24f7a12ec53328f1c472",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9944"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
21304 · HTTP
|
http
|
Sonde port 21304/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
21304
Chemin / cible
/
Preuve honeypot — Sonde port 21304/TCP
Connexion détectée sur le port 21304 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_21304_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:21304
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:21304 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "946021bc28dbfce992c63dc941f73572f6976434",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.102041053565556,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 21304,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "b0adec735d4ffb24e0ae332d6145d9e466ac7425",
"event_fingerprint": "4bd2872e013857f39a141b54409cfdfaaa217257",
"classification_reason": "Type \u00ab port_21304_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "33339721985445f2f1c87d4c7a8c79fa",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 21304,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21304\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21304\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21304\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21304\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:21304\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_21304_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2256c53a200ee9a3c87001972a97af1c0b667403",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "21304"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
3301 · HTTP
|
http
|
Sonde port 3301/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3301
Chemin / cible
/
Preuve honeypot — Sonde port 3301/TCP
Connexion détectée sur le port 3301 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_3301_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3301
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3301 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "71fe4f1fcc77dd5af837012a0625cb02c862fb29",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.073339477723427,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 3301,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "bca2cfa1825a188f46ca7117210422235855cca0",
"event_fingerprint": "be576bc45702a25ea9e19729ba3d234574179f86",
"classification_reason": "Type \u00ab port_3301_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "6cf8ca169bdb5a0902dbfe3d5830f734",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3301,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3301\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3301\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3301\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3301\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3301\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_3301_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c20893b21f6e0ebcfa9021121a267c42f2b75549",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "3301"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
18181 · HTTP
|
http
|
Sonde port 18181/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18181
Chemin / cible
/
Preuve honeypot — Sonde port 18181/TCP
Connexion détectée sur le port 18181 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_18181_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:18181
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:18181 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "307a79560e7c3975c882a8bd70d12835ae1db622",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.102041053565556,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 18181,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "e3a42d0cdb734c0dedbd13053aa50d550e231f9b",
"event_fingerprint": "3fd3d4820354b1beb5af08df7ef15563b1dc7e83",
"classification_reason": "Type \u00ab port_18181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "e099bc417eb6fe70cfbc73badb5a3665",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 18181,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18181\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18181\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18181\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18181\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18181\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_18181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "30c70dea253bb551bcbda8260b6f65bb93e0da1f",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "18181"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
13082 · HTTP
|
http
|
Sonde port 13082/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
13082
Chemin / cible
/
Preuve honeypot — Sonde port 13082/TCP
Connexion détectée sur le port 13082 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_13082_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:13082
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:13082 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "52646757eccbee763159d3141b55a345ba3dfcbf",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.102041053565556,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 13082,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "a1d9b7d1f62d0695172ada78dbf28405f9ac0cb1",
"event_fingerprint": "bcaf9bf6c44b1bd9bf8a11468aa4ce349f644f9e",
"classification_reason": "Type \u00ab port_13082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "03d681d5f3e6ab32f54daa8267037381",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 13082,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:13082\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_13082_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "91c08ef0e415b2ad37e364dfd5782417c533068e",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "13082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9091 · KAFKA JMX
|
kafka-jmx
|
kafka-jmx
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9091
Chemin / cible
—
Pourquoi cette classification : Type « kafka-jmx » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9091
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9091 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206b61666b615f6a6d7820726561647920706f72743d393039310d0a",
"emulator_response_len": 40,
"bytes_in": 146,
"payload_entropy": 5.111077662684571,
"port_category": "registered",
"org": "Google LLC",
"service": "kafka-jmx",
"app_proto": "kafka-jmx",
"asn": 396982,
"country": "BE",
"dst_port": 9091,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "d059d76790262f0446f92b973dcba608c3699ce4",
"event_fingerprint": "c58ab12dc1fefd8340494c3b1522d2ff34dfdb9e",
"classification_reason": "Type \u00ab kafka-jmx \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "kafka-jmx",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0744c722e3f161077cbc2eadf230e9fd",
"path_pattern_hash": "b559ec958a47d0fa45debbf0f8ddb3e2"
},
"target_context": {
"dst_port": 9091,
"service": "kafka-jmx",
"service_name": "kafka-jmx",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab kafka-jmx \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4fe3748e34045b57e140e8468303679f4d75345",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "kafka_jmx",
"service_banner": "honeypot-kafka-jmx",
"service_os": "linux",
"dst_port": "9091"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12165 · HTTP
|
http
|
Sonde port 12165/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12165
Chemin / cible
/
Preuve honeypot — Sonde port 12165/TCP
Connexion détectée sur le port 12165 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12165_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12165
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12165 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "15099aba049f79d14b124e4292d3c58a709c57e8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.085780104412065,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12165,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "44c5568bda51dd7a8d60d1171358709a56d4df18",
"event_fingerprint": "a258ff398182c766c98f7bf4bafa2514567e051f",
"classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "dc15f0ec7f004ddc9ca2868f2bc475b5",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12165,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12165\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12165_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2a2399895848a1a4158187e618d9d08c049150e",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12165"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12215 · HTTP
|
http
|
Sonde port 12215/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12215
Chemin / cible
/
Preuve honeypot — Sonde port 12215/TCP
Connexion détectée sur le port 12215 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12215_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12215
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12215 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "074402d1f534b9fb2786e2e7a8298b79dac4d292",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.074830169211816,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12215,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "83f096a9fb1a55c167e8538982e4bc0dc2d97443",
"event_fingerprint": "bdfffd63bf8169380ac1df463dc344522f144310",
"classification_reason": "Type \u00ab port_12215_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "98b53aeef7ec4a47bffe9c33054c8afc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12215,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12215\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12215\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12215\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12215\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12215\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12215_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9e0e4c611da1b6a46506964a7a1f50f00b4bad72",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12215"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9222 · HTTP
|
http
|
Sonde port 9222/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9222
Chemin / cible
/
Preuve honeypot — Sonde port 9222/TCP
Connexion détectée sur le port 9222 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9222_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9222
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9222 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "6939de574b59c0d5a3322771de80c0f7f3eb9b59",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.0836804024105975,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 9222,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "7daf065fc712e821d1e0a62139ad22d9d3201b60",
"event_fingerprint": "64f07b80f953b5153b36eb5228ca2be70b8dbb20",
"classification_reason": "Type \u00ab port_9222_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "f7e47172b50d56012c75f7aa0e60d9db",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9222,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9222\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9222\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9222\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9222\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9222\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9222_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1b419caa7a0a66330dab588f71b349e3a48b1a99",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9222"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2121 · HTTP
|
http
|
Sonde port 2121/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2121
Chemin / cible
/
Preuve honeypot — Sonde port 2121/TCP
Connexion détectée sur le port 2121 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2121_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2121
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2121 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0d8ced431957ed543d38612082407234ae7cda34",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.069297762204367,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 2121,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "bd6e331dca8d9c1fa901e0b8e87cfb9a04383c31",
"event_fingerprint": "eb38139cd7e4f48e500a7907790c3d75774c6b40",
"classification_reason": "Type \u00ab port_2121_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "bb454a4937f0577ff87636731399140c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2121,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2121\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_2121_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ef025729f0c67fac8d185458eb508f40202269a",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2121"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
5122 · HTTP
|
http
|
Sonde port 5122/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5122
Chemin / cible
/
Preuve honeypot — Sonde port 5122/TCP
Connexion détectée sur le port 5122 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5122_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5122
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5122 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "1cc873623e290892bb02689468d0c4168bbbd708",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.072655467654182,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 5122,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "957473efe4af4f0059adadda591d8aed391c3731",
"event_fingerprint": "22c85ae54c07b82a0270ea95464dc3fcb2e9b811",
"classification_reason": "Type \u00ab port_5122_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "6b0803769b24bf3bfcfa856001a71fa2",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5122,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5122\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5122\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5122\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5122\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5122\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_5122_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dbe83d1cd925c850e637468983f2e70860888e45",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5122"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
Sonde port 9200/TCP
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9200
Chemin / cible
/
Preuve honeypot — Sonde port 9200/TCP
Connexion détectée sur le port 9200 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_9200_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9200
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.1025494948911705,
"port_category": "registered",
"org": "Google LLC",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 396982,
"country": "BE",
"dst_port": 9200,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 50,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "fe7ac2601ae2bf63d0f1dbab8f948418f30b0512",
"event_fingerprint": "8946f73ac8f1897ea3583eb2dafa77519abd1534",
"classification_reason": "Type \u00ab port_9200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 30,
"risk_score": 42
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "elasticsearch",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "829bf77f0ff569e44e95d90851851522",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_9200_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3d2c30d3627f7065c6725767ca5f9fffc9f9fa55",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_elasticsearch_probe",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8910 · HTTP
|
http
|
Scan de ports
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8910
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8910
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8910 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "79698bb8dbd89559f81924cd36191597f6e7b3b8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 146,
"payload_entropy": 5.124776292821557,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 8910,
"risk_waf": 32,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "ef3dd8d49c747ef14acd3c9791f957860d46256e",
"event_fingerprint": "6a9daa789ebb40c268d55e4d884199f7ceb1e61b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 171,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan"
],
"confidence_breakdown": {
"waf": 32,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 42
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "712f94eedb58f00074268fe53af45243",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8910,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8910\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8910\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8910\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8910\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8910\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnecti",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "74a71b98c862a3b594ae5d775b9e073df8184804",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8910"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12487 · HTTP
|
http
|
Sonde port 12487/TCP
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12487
Chemin / cible
/
Preuve honeypot — Sonde port 12487/TCP
Connexion détectée sur le port 12487 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_12487_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
55%
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
python-requests/2.32.5
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12487
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connect
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12487 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f343f9c1e6b4bd1214c9505270609d93a5a9cf43",
"http_host_hash": "0682b7f8e5847ccae8cc3d26a295b217aeceace3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 147,
"payload_entropy": 5.1402018731195485,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "BE",
"dst_port": 12487,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 20,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20
},
"risk_score": 38,
"tag_count": 4,
"anomaly_count": 1,
"campaign_key": "a07cd57c83df694914f069e0dfbc26a4d3b7c9ab",
"event_fingerprint": "2491b43ffc79d1f991b539214979aeb7929218bb",
"classification_reason": "Type \u00ab port_12487_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.55,
"classification_confidence": 0.55,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 20,
"risk_score": 38
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f712d38ba9b9c286c823406aa572410d",
"payload_hash": "d611492c66f1859a584a39a20e8461ac",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12487,
"service": "http",
"service_name": "http",
"risk_score": 38
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12487\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12487\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12487\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "python-requests\/2.32.5",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12487\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnection: keep-alive\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12487\r\nUser-Agent: python-requests\/2.32.5\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nConnect",
"classification_reason": "Type \u00ab port_12487_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "39413d9a119ef0bd58bb1c7e1fbe947b5f59f6e2",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "12487"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
],
"asn_dc_heuristic": true
}
|