14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /portal/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /portal/.env UA Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/2008…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/portal/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/portal/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /portal/.env HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /portal/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/2008071
Requête brute (extrait)
GET /portal/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "ee51e06bab42e31123dc56d3e7441fe31d3bdca8",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "25e9d50bacd292841afcec6b93bcba6a1f6790d4",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 220,
"payload_entropy": 5.237766760563463,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "6a45cc4fed0231395928593d5e3a5ccbf21fbef0",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "7c03a0ceb5e41705263eecefeb91e5ab",
"payload_hash": "61cd37c3024e3a81cba4a6369b9e0d3e",
"path_pattern_hash": "8432e822d78216a6822b5a443dbf894c"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/2008071",
"method": "GET",
"path": "\/portal\/.env",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/portal\/.env HTTP\/1.1",
"request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/2008071",
"evidence": {
"method": "GET",
"path": "\/portal\/.env",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/portal\/.env HTTP\/1.1",
"request_sample": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/2008071",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "65615fe285f0fe9c865a0762366a0f7a089631e9",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.env",
"request_line": "GET \/portal\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/2008071",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/portal\/.env",
"request_line": "GET \/portal\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/20080716 (Gentoo) Galeon\/2.0.6",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/portal\/.env",
"evidence_snippet": "GET \/portal\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/2008071",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
������������1ǫ����L����t��wXe]��7�V����% ��Q�tص�YE��rc�t���ZF��b�fI�G̚ �&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������1ǫ����L����t��wXe]��7�V����% ��Q�tص�YE��rc�t���ZF��b�fI�G̚ �&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������1ǫ����L����t��wXe]��7�V����% ��Q�tص�YE��rc�t���ZF��b�fI�G̚ �&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� $� a>�f�]��(I�G ci��G���1����_5g
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.7946780200347465,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "0c1c05fe221a169ad6c51b5b055ff3fb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00071\u01eb\ufffd\ufffd\u0017\u0010L\ufffd\u0018\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\u000f\u0019\ufffd% \ufffd\u0004Q\ufffdt\u0635\ufffdYE\ufffd\u0017rc\ufffdt\ufffd\ufffd\ufffdZF\u001b\u000fb\ufffdfI\ufffdG\u031a\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00071\u01eb\ufffd\ufffd\u0017\u0010L\ufffd\u0018\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\u000f\u0019\ufffd% \ufffd\u0004Q\ufffdt\u0635\ufffdYE\ufffd\u0017rc\ufffdt\ufffd\ufffd\ufffdZF\u001b\u000fb\ufffdfI\ufffdG\u031a\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 $\ufffd\fa>\ufffdf\ufffd]\ufffd\u0016(I\ufffdG\nci\ufffd\u001dG\ufffd\ufffd\ufffd1\ufffd\u001d\u0001\ufffd_5g",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00071\u01eb\ufffd\ufffd\u0017\u0010L\ufffd\u0018\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\u000f\u0019\ufffd% \ufffd\u0004Q\ufffdt\u0635\ufffdYE\ufffd\u0017rc\ufffdt\ufffd\ufffd\ufffdZF\u001b\u000fb\ufffdfI\ufffdG\u031a\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ddcbe86b99b0e8176a72e6242272bf661a820a23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00071\u01eb\ufffd\ufffd\u0017\u0010L\ufffd\u0018\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\u000f\u0019\ufffd% \ufffd\u0004Q\ufffdt\u0635\ufffdYE\ufffd\u0017rc\ufffdt\ufffd\ufffd\ufffdZF\u001b\u000fb\ufffdfI\ufffdG\u031a\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd1\u01eb\ufffd\ufffdL\ufffd\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\ufffd% \ufffdQ\ufffdt\u0635\ufffdYE\ufffdrc\ufffdt\ufffd\ufffd\ufffdZFb\ufffdfI\ufffdG\u031a\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u00071\u01eb\ufffd\ufffd\u0017\u0010L\ufffd\u0018\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\u000f\u0019\ufffd% \ufffd\u0004Q\ufffdt\u0635\ufffdYE\ufffd\u0017rc\ufffdt\ufffd\ufffd\ufffdZF\u001b\u000fb\ufffdfI\ufffdG\u031a\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd1\u01eb\ufffd\ufffdL\ufffd\ufffd\ufffdt\ufffd\ufffdwXe]\ufffd\ufffd7\ufffdV\ufffd\ufffd% \ufffdQ\ufffdt\u0635\ufffdYE\ufffdrc\ufffdt\ufffd\ufffd\ufffdZFb\ufffdfI\ufffdG\u031a\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������ps�����XRm�Qc��O�܂��JP���s����� ���q�:�G��� 2�D����9-�}郡�G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ps�����XRm�Qc��O�܂��JP���s����� ���q�:�G���
2�D����9-�}郡�G�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ps�����XRm�Qc��O�܂��JP���s����� ���q�:�G��� 2�D����9-�}郡�G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �{����}��m��OrG���"ӿ|��ޝ�)� m&
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.786860228757744,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "89641807139e2240eb83118176479e83",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003ps\ufffd\u000f\ufffd\ufffd\u0013XRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffd\u001bs\ufffd\ufffd\ufffd\ufffd\u0004 \u001d\ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\u001e\ufffd\u001e9-\u0006}\u90e1\u001b\ud94b\udeeeG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003ps\ufffd\u000f\ufffd\ufffd\u0013XRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffd\u001bs\ufffd\ufffd\ufffd\ufffd\u0004 \u001d\ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\u001e\ufffd\u001e9-\u0006}\u90e1\u001b\ud94b\udeeeG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd{\ufffd\ufffd\u0006\u0004}\ufffd\ufffdm\ufffd\ufffdOrG\ufffd\ufffd\ufffd\"\u04ff|\u0004\ufffd\u079d\ufffd)\ufffd\tm&",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003ps\ufffd\u000f\ufffd\ufffd\u0013XRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffd\u001bs\ufffd\ufffd\ufffd\ufffd\u0004 \u001d\ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\u001e\ufffd\u001e9-\u0006}\u90e1\u001b\ud94b\udeeeG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "579b3f4159cf7b4423f3cd921e5eabf25b8c5a6e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003ps\ufffd\u000f\ufffd\ufffd\u0013XRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffd\u001bs\ufffd\ufffd\ufffd\ufffd\u0004 \u001d\ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\u001e\ufffd\u001e9-\u0006}\u90e1\u001b\ud94b\udeeeG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdps\ufffd\ufffd\ufffdXRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\ufffd9-}\u90e1\ud94b\udeeeG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003ps\ufffd\u000f\ufffd\ufffd\u0013XRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffd\u001bs\ufffd\ufffd\ufffd\ufffd\u0004 \u001d\ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\u001e\ufffd\u001e9-\u0006}\u90e1\u001b\ud94b\udeeeG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdps\ufffd\ufffd\ufffdXRm\ufffdQc\ufffd\ufffdO\ufffd\u0702\ufffd\ufffdJP\ufffd\ufffds\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdq\ufffd:\ufffdG\ufffd\ufffd\ufffd\n2\ufffdD\ufffd\ufffd9-}\u90e1\ud94b\udeeeG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������m� ����>�C��ΣG� ����F�����߽��� �'|���M�k�Z�����������'���8�/�a��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������m������>�C��ΣG� ����F�����߽��� �'|���M�k�Z�����������'���8�/�a��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������m� ����>�C��ΣG� ����F�����߽��� �'|���M�k�Z�����������'���8�/�a��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �%��?꺪w�b�l�ͯi�*p�a���������
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.853426073463883,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "fafaeaa0fe0698a89a3d61fb14c89268",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\f\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\u0015\t\ufffd\ufffd\ufffd\u0014F\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\u0010\ufffd\u0012 \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd'\u0014\ufffd\ufffd8\ufffd\/\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\f\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\u0015\t\ufffd\ufffd\ufffd\u0014F\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\u0010\ufffd\u0012 \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd'\u0014\ufffd\ufffd8\ufffd\/\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd%\u0010\ufffd?\uaeaaw\ufffdb\u000fl\ufffd\u036fi\ufffd*p\ufffda\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffd\u0012",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\f\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\u0015\t\ufffd\ufffd\ufffd\u0014F\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\u0010\ufffd\u0012 \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd'\u0014\ufffd\ufffd8\ufffd\/\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "50ba93e584cf80ecb3d9e648115703106bc3cb1b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\f\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\u0015\t\ufffd\ufffd\ufffd\u0014F\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\u0010\ufffd\u0012 \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd'\u0014\ufffd\ufffd8\ufffd\/\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\t\ufffd\ufffd\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\ufffd \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd8\ufffd\/\ufffda\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\f\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\u0015\t\ufffd\ufffd\ufffd\u0014F\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\u0010\ufffd\u0012 \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0006\ufffd\ufffd'\u0014\ufffd\ufffd8\ufffd\/\ufffda\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffdC\ufffd\ufffd\u03a3G\t\ufffd\ufffd\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffd\u07fd\ufffd \ufffd'|\ufffd\ufffd\ufffdM\ufffdk\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd'\ufffd\ufffd8\ufffd\/\ufffda\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�������������P%R���$M�3���+�7�����G��_��H ��ү�S�e8��3%Xqs��"/]�\�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������P%R���$M�3���+�7�����G��_��H ��ү�S�e8��3%Xqs��"/]�\�������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������P%R���$M�3���+�7�����G��_��H ��ү�S�e8��3%Xqs��"/]�\�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� H�?�^�pbKZ �/�mךT�_�R��5���!�?U
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.795695194271815,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "355bf00fefa674dfe4dad7d92ad5a32a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\u001c\ufffd+\ufffd7\u0011\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04af\u0004S\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\u001c\ufffd+\ufffd7\u0011\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04af\u0004S\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 H\ufffd?\u000e^\ufffdpbKZ\u000b\ufffd\/\u001am\u05daT\u001d_\ufffdR\b\ufffd5\ufffd\u0001\u0004!\ufffd?U",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\u001c\ufffd+\ufffd7\u0011\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04af\u0004S\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7f58b639d078db09fb334b223be33895c2d86309",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\u001c\ufffd+\ufffd7\u0011\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04af\u0004S\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\ufffd+\ufffd7\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04afS\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\u001c\ufffd+\ufffd7\u0011\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04af\u0004S\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdP%R\ufffd\ufffd\ufffd$M\ufffd3\ufffd\ufffd+\ufffd7\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd_\ufffd\ufffdH \ufffd\ufffd\u04afS\ufffde8\ufffd\ufffd3%Xqs\ufffd\ufffd\"\/]\ufffd\\\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
��������������F��<^�����=��P�A&H�hn�eC46� 0�� ��ٹ��c�ǔ�a���n�z��3�VU�h�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������F��<^�����=��P�A&H�hn�eC46� 0�� ��ٹ��c�ǔ�a���n�z��3�VU�h�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������F��<^�����=��P�A&H�hn�eC46� 0�� ��ٹ��c�ǔ�a���n�z��3�VU�h�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� $0�l�j�w��ȵ`����ܖ��+,�ܺ�s�o�1
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8625450894642235,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "16563d1a230efab007787a4581c6de3a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000eF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdP\u000eA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdn\u0013z\ufffd\ufffd3\ufffdVU\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000eF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdP\u000eA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdn\u0013z\ufffd\ufffd3\ufffdVU\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 $0\ufffdl\u0006j\ufffdw\ufffd\ufffd\u0235`\ufffd\ufffd\ufffd\ufffd\u0716\ufffd\u0003+,\u0018\u073a\u0019s\ufffdo\ufffd1",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000eF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdP\u000eA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdn\u0013z\ufffd\ufffd3\ufffdVU\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ff08c5f2dfa4ce42f0f68559810789a2e6dfdac8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000eF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdP\u000eA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdn\u0013z\ufffd\ufffd3\ufffdVU\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdPA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdnz\ufffd\ufffd3\ufffdVU\ufffdh&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000eF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdP\u000eA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdn\u0013z\ufffd\ufffd3\ufffdVU\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd<^\ufffd\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffdPA&H\ufffdhn\ufffdeC46\ufffd 0\ufffd\ufffd \ufffd\ufffd\u0679\ufffd\ufffdc\ufffd\u01d4\ufffda\ufffd\ufffd\ufffdnz\ufffd\ufffd3\ufffdVU\ufffdh&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
������������ә����q�y�����zP �n��@�+��:[�Fn +�N��-M����TՆ!m�1j��|0����{�=(��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������ә����q�y�����zP��n��@�+��:[�Fn +�N��-M����TՆ!m�1j��|0����{�=(��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ә����q�y�����zP �n��@�+��:[�Fn +�N��-M����TՆ!m�1j��|0����{�=(��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� I&0�Z�W�����*咏W��R�ݠ��;���v/
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.844022618292708,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "584854dfffb6c0516c18b058def9b0c3",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04d9\ufffd\u0006\ufffd\ufffdq\ufffdy\u0011\u001d\ufffd\u0007\ufffdzP\f\ufffdn\ufffd\u0013@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\u0017\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04d9\ufffd\u0006\ufffd\ufffdq\ufffdy\u0011\u001d\ufffd\u0007\ufffdzP\f\ufffdn\ufffd\u0013@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\u0017\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 I&0\ufffdZ\u0013W\u0013\ufffd\u0014\u0001\u0014*\u548fW\u001c\ufffdR\ufffd\u0760\ufffd\ufffd;\u0007\ufffd\ufffdv\/",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04d9\ufffd\u0006\ufffd\ufffdq\ufffdy\u0011\u001d\ufffd\u0007\ufffdzP\f\ufffdn\ufffd\u0013@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\u0017\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "518b4b9497543e3beb81939670b2705a7f60fae8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04d9\ufffd\u0006\ufffd\ufffdq\ufffdy\u0011\u001d\ufffd\u0007\ufffdzP\f\ufffdn\ufffd\u0013@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\u0017\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u04d9\ufffd\ufffd\ufffdq\ufffdy\ufffd\ufffdzP\ufffdn\ufffd@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04d9\ufffd\u0006\ufffd\ufffdq\ufffdy\u0011\u001d\ufffd\u0007\ufffdzP\f\ufffdn\ufffd\u0013@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\u0017\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u04d9\ufffd\ufffd\ufffdq\ufffdy\ufffd\ufffdzP\ufffdn\ufffd@\ufffd+\ufffd\ufffd:[\ufffdFn +\ufffdN\ufffd\ufffd-M\ufffd\ufffd\ufffdT\u0546!m\ufffd1j\ufffd\ufffd|0\ufffd\ufffd\ufffd\ufffd{\ufffd=(\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������7D0�����ܗo; Տ�^=�sa���C�6���I� ��c<���߿5���]�����r�b@�W���X^�]�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������7D0�����ܗo;
Տ�^=�sa���C�6���I� ��c<���߿5���]�����r�b@�W���X^�]�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������7D0�����ܗo; Տ�^=�sa���C�6���I� ��c<���߿5���]�����r�b@�W���X^�]�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� k�S��R����#�z�Y$�R�B��+H-憼��g
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.837416006344045,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "a26d767c7d6c52e7b1cfad23fbd8062f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037D0\ufffd\ufffd\u0005\ufffd\ufffd\u0717o;\n\u054f\u0003^=\ufffdsa\u001e\u0003\ufffdC\ufffd6\ufffd\u0007\u0005I\ufffd \u0004\ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\u0005\ufffd]\ufffd\ufffd\u001e\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037D0\ufffd\ufffd\u0005\ufffd\ufffd\u0717o;\n\u054f\u0003^=\ufffdsa\u001e\u0003\ufffdC\ufffd6\ufffd\u0007\u0005I\ufffd \u0004\ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\u0005\ufffd]\ufffd\ufffd\u001e\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 k\ufffdS\u0019\ufffdR\ufffd\ufffd\ufffd\ufffd#\ufffdz\ufffdY$\ufffdR\ufffdB\ufffd\ufffd+H-\u61bc\ufffd\ufffdg",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037D0\ufffd\ufffd\u0005\ufffd\ufffd\u0717o;\n\u054f\u0003^=\ufffdsa\u001e\u0003\ufffdC\ufffd6\ufffd\u0007\u0005I\ufffd \u0004\ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\u0005\ufffd]\ufffd\ufffd\u001e\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "71d8d23aac8aad53d8c8d729574bd9b3e711b571",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037D0\ufffd\ufffd\u0005\ufffd\ufffd\u0717o;\n\u054f\u0003^=\ufffdsa\u001e\u0003\ufffdC\ufffd6\ufffd\u0007\u0005I\ufffd \u0004\ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\u0005\ufffd]\ufffd\ufffd\u001e\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd7D0\ufffd\ufffd\ufffd\ufffd\u0717o;\n\u054f^=\ufffdsa\ufffdC\ufffd6\ufffdI\ufffd \ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\ufffd]\ufffd\ufffd\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037D0\ufffd\ufffd\u0005\ufffd\ufffd\u0717o;\n\u054f\u0003^=\ufffdsa\u001e\u0003\ufffdC\ufffd6\ufffd\u0007\u0005I\ufffd \u0004\ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\u0005\ufffd]\ufffd\ufffd\u001e\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd7D0\ufffd\ufffd\ufffd\ufffd\u0717o;\n\u054f^=\ufffdsa\ufffdC\ufffd6\ufffdI\ufffd \ufffdc<\ufffd\ufffd\ufffd\u07ff5\ufffd\ufffd]\ufffd\ufffd\ufffd\ufffdr\ufffdb@\ufffdW\ufffd\ufffd\ufffdX^\ufffd]&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
������������f����ٷs��׃)�@:{����Y��B�q=]� ��� �S��+�B��o��P�n���e�nWK+�r��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������f����ٷs��׃)�@:{����Y��B�q=]�� ���
�S��+�B��o��P�n���e�nWK+�r��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������f����ٷs��׃)�@:{����Y��B�q=]� ��� �S��+�B��o��P�n���e�nWK+�r��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �h�� H�+^p0�H)h��Ӎ gj�J��m����\
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.833864114684843,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ad071e2e50e9ce57a8234991de342958",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0004f\ufffd\u0003\ufffd\b\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012B\u0007q=]\ufffd\u000b \ufffd\ufffd\ufffd\r\ufffdS\u0002\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\u000f\ufffde\ufffdnWK+\u000fr\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0004f\ufffd\u0003\ufffd\b\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012B\u0007q=]\ufffd\u000b \ufffd\ufffd\ufffd\r\ufffdS\u0002\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\u000f\ufffde\ufffdnWK+\u000fr\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdh\ufffd\ufffd\rH\ufffd+^p0\ufffdH)h\u0007\ufffd\u04cd\u000bgj\ufffdJ\ufffd\ufffdm\ufffd\ufffd\ufffd\u001b\\",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0004f\ufffd\u0003\ufffd\b\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012B\u0007q=]\ufffd\u000b \ufffd\ufffd\ufffd\r\ufffdS\u0002\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\u000f\ufffde\ufffdnWK+\u000fr\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5b4c75a6740a3feecb1025ab402c8699674ca6d5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0004f\ufffd\u0003\ufffd\b\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012B\u0007q=]\ufffd\u000b \ufffd\ufffd\ufffd\r\ufffdS\u0002\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\u000f\ufffde\ufffdnWK+\u000fr\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdf\ufffd\ufffd\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffdBq=]\ufffd \ufffd\ufffd\ufffd\r\ufffdS\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\ufffde\ufffdnWK+r\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0004f\ufffd\u0003\ufffd\b\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012B\u0007q=]\ufffd\u000b \ufffd\ufffd\ufffd\r\ufffdS\u0002\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\u000f\ufffde\ufffdnWK+\u000fr\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdf\ufffd\ufffd\u0677s\ufffd\ufffd\u05c3)\ufffd@:{\ufffd\ufffd\ufffd\ufffdY\ufffdBq=]\ufffd \ufffd\ufffd\ufffd\r\ufffdS\ufffd+\ufffdB\ufffd\ufffdo\ufffd\ufffdP\ufffdn\ufffd\ufffde\ufffdnWK+r\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�������������A �7���EI�Ɋ'2<�mb�S8��jH&8�� �2�J�W�L0��>��A��ht������Ց���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������A �7���EI�Ɋ'2<�mb�S8��jH&8�� �2�J�W�L0��>��A��ht������Ց���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������A �7���EI�Ɋ'2<�mb�S8��jH&8�� �2�J�W�L0��>��A��ht������Ց���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� m+ɨ�U=Cs��b�{+�*s��8�r��V��� ;
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.790829967572217,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "7e9f953d89ae1c699175f00592d4134d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u0007\u024a'2<\ufffdmb\ufffdS8\u0001\ufffdjH&8\ufffd\ufffd\t \ufffd2\u0013J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\u0010\ufffd\ufffd\u001c\ufffd\u0551\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u0007\u024a'2<\ufffdmb\ufffdS8\u0001\ufffdjH&8\ufffd\ufffd\t \ufffd2\u0013J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\u0010\ufffd\ufffd\u001c\ufffd\u0551\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 m+\u0268\ufffdU=Cs\ufffd\ufffdb\ufffd{+\u000e*s\ufffd\b8\ufffdr\ufffd\ufffdV\u0011\ufffd\ufffd\n;",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u0007\u024a'2<\ufffdmb\ufffdS8\u0001\ufffdjH&8\ufffd\ufffd\t \ufffd2\u0013J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\u0010\ufffd\ufffd\u001c\ufffd\u0551\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9b8a428d5a8558748e840cce60c4dc655b2c2c6e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u0007\u024a'2<\ufffdmb\ufffdS8\u0001\ufffdjH&8\ufffd\ufffd\t \ufffd2\u0013J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\u0010\ufffd\ufffd\u001c\ufffd\u0551\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u024a'2<\ufffdmb\ufffdS8\ufffdjH&8\ufffd\ufffd\t \ufffd2J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\ufffd\ufffd\ufffd\u0551\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u0007\u024a'2<\ufffdmb\ufffdS8\u0001\ufffdjH&8\ufffd\ufffd\t \ufffd2\u0013J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\u0010\ufffd\ufffd\u001c\ufffd\u0551\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdA\t\ufffd7\ufffd\ufffd\ufffdEI\u024a'2<\ufffdmb\ufffdS8\ufffdjH&8\ufffd\ufffd\t \ufffd2J\ufffdW\ufffdL0\ufffd\ufffd>\ufffd\ufffdA\ufffd\ufffdht\ufffd\ufffd\ufffd\ufffd\u0551\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������C�9�L��t7��0�6Z�`���n+�H!���:��� ��Q~����V7Ok����|0;�@�2��9�o����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������C�9�L��t7��0�6Z�`���n+�H!���:��� ��Q~����V7Ok����|0;�@�2��9�o����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������C�9�L��t7��0�6Z�`���n+�H!���:��� ��Q~����V7Ok����|0;�@�2��9�o����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� %�|����͋ �6�����6������������6r
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8030141921462075,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "c14ca6aa0b1d6576bb97b534f9dd5ec8",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003C\ufffd9\ufffdL\ufffd\u0018t7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffd\u0000\u0006n+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd \u001e\u0013Q~\u001c\ufffd\ufffd\ufffdV7Ok\ufffd\u0003\u0000\u0015|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003C\ufffd9\ufffdL\ufffd\u0018t7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffd\u0000\u0006n+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd \u001e\u0013Q~\u001c\ufffd\ufffd\ufffdV7Ok\ufffd\u0003\u0000\u0015|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 %\ufffd|\ufffd\ufffd\ufffd\ufffd\u034b\u000b\ufffd6\ufffd\u001f\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffd\ufffd\u0016\ufffd\u0019\ufffd\ufffd\ufffd\ufffd\ufffd6r",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003C\ufffd9\ufffdL\ufffd\u0018t7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffd\u0000\u0006n+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd \u001e\u0013Q~\u001c\ufffd\ufffd\ufffdV7Ok\ufffd\u0003\u0000\u0015|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2468c2c5f3642ba49d0bf19767bb8f096590c375",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003C\ufffd9\ufffdL\ufffd\u0018t7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffd\u0000\u0006n+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd \u001e\u0013Q~\u001c\ufffd\ufffd\ufffdV7Ok\ufffd\u0003\u0000\u0015|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdC\ufffd9\ufffdL\ufffdt7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffdn+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd Q~\ufffd\ufffd\ufffdV7Ok\ufffd|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003C\ufffd9\ufffdL\ufffd\u0018t7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffd\u0000\u0006n+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd \u001e\u0013Q~\u001c\ufffd\ufffd\ufffdV7Ok\ufffd\u0003\u0000\u0015|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdC\ufffd9\ufffdL\ufffdt7\ufffd\ufffd0\ufffd6Z\ufffd`\ufffdn+\ufffdH!\ufffd\ufffd\ufffd:\ufffd\ufffd\ufffd Q~\ufffd\ufffd\ufffdV7Ok\ufffd|0;\ufffd@\ufffd2\ufffd\ufffd9\ufffdo\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������Ԣ��zb�,Q��7�/n����j�Ĺ ����F��4 � ��Y"��4�s���%]���*u�.M�����BZ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Ԣ��zb�,Q��7�/n����j�Ĺ�����F��4 ����Y"��4�s���%]���*u�.M�����BZ�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Ԣ��zb�,Q��7�/n����j�Ĺ ����F��4 � ��Y"��4�s���%]���*u�.M�����BZ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� y U[v/}O_�H��]G�j��X/�r�+M�k2ɑ&
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.884266280647603,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "56213b713f814f698c4ccada3aacd587",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\u0019\ufffd\ufffd\ufffdj\ufffd\u0139\f\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\u000b\u0015\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\u0011\ufffd\u001d\u001c\ufffdBZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\u0019\ufffd\ufffd\ufffdj\ufffd\u0139\f\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\u000b\u0015\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\u0011\ufffd\u001d\u001c\ufffdBZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 y U[v\/}O_\u001cH\ufffd\ufffd]G\ufffdj\b\ufffdX\/\ufffdr\u0013+M\u0019k2\u0251&",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\u0019\ufffd\ufffd\ufffdj\ufffd\u0139\f\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\u000b\u0015\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\u0011\ufffd\u001d\u001c\ufffdBZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f2271468567de6da9fe3094c8cd6aedc5f7e47d4",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\u0019\ufffd\ufffd\ufffdj\ufffd\u0139\f\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\u000b\u0015\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\u0011\ufffd\u001d\u001c\ufffdBZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\ufffd\ufffd\ufffdj\ufffd\u0139\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\ufffd\ufffdBZ&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\u0019\ufffd\ufffd\ufffdj\ufffd\u0139\f\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\u000b\u0015\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\u0011\ufffd\u001d\u001c\ufffdBZ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u0522\ufffd\ufffdzb\ufffd,Q\ufffd\ufffd7\ufffd\/n\ufffd\ufffd\ufffdj\ufffd\u0139\ufffd\ufffd\ufffd\ufffdF\ufffd\ufffd4 \ufffd\ufffdY\"\ufffd\ufffd4\ufffds\ufffd\ufffd\ufffd%]\ufffd\ufffd\ufffd*u\ufffd.M\ufffd\ufffdBZ&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������@��%�O��َ��l�� u�E��-ŭ����� ��R����tp��^�+� U�X5 ��I>��W� 3z�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������@��%�O��َ��l�� u�E��-ŭ�����
��R����tp��^�+�
U�X5���I>��W� 3z�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������@��%�O��َ��l�� u�E��-ŭ����� ��R����tp��^�+� U�X5 ��I>��W� 3z�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� wh�c���СB��_���5���A `� j�PZ��@
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.823285413896366,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "dae456423cfc703a654cb11131c50eff",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0014\ufffd%\u001bO\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\u0015\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\u0003\ufffd^\ufffd+\ufffd\nU\ufffdX5\f\ufffd\ufffdI>\ufffd\u0000W\ufffd 3z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0014\ufffd%\u001bO\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\u0015\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\u0003\ufffd^\ufffd+\ufffd\nU\ufffdX5\f\ufffd\ufffdI>\ufffd\u0000W\ufffd 3z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 wh\ufffdc\u001f\ufffd\ufffd\u0421B\ufffd\ufffd_\ufffd\u0001\ufffd5\u0012\u0016\ufffdA\r`\ufffd\fj\ufffdPZ\ufffd\ufffd@",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0014\ufffd%\u001bO\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\u0015\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\u0003\ufffd^\ufffd+\ufffd\nU\ufffdX5\f\ufffd\ufffdI>\ufffd\u0000W\ufffd 3z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7b3cf85da6bf48bb99e642e1735aa3972d56c7e5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0014\ufffd%\u001bO\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\u0015\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\u0003\ufffd^\ufffd+\ufffd\nU\ufffdX5\f\ufffd\ufffdI>\ufffd\u0000W\ufffd 3z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd@\ufffd%O\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\ufffd^\ufffd+\ufffd\nU\ufffdX5\ufffd\ufffdI>\ufffdW\ufffd 3z&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@\u0014\ufffd%\u001bO\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\u0015\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\u0003\ufffd^\ufffd+\ufffd\nU\ufffdX5\f\ufffd\ufffdI>\ufffd\u0000W\ufffd 3z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd@\ufffd%O\ufffd\ufffd\u064e\ufffd\ufffdl\ufffd\ufffd u\ufffdE\ufffd\ufffd-\u016d\ufffd\ufffd\ufffd\ufffd\r \ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdtp\ufffd^\ufffd+\ufffd\nU\ufffdX5\ufffd\ufffdI>\ufffdW\ufffd 3z&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
����������� .+<�����Mi����e:��2<��쯓4h�{n� �؞��a* O�SC�a'�^9*<��� 45�vi��#�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������
.+<�����Mi����e:��2<��쯓4h�{n� �؞��a*�O�SC�a'�^9*<��� 45�vi��#�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� .+<�����Mi����e:��2<��쯓4h�{n� �؞��a* O�SC�a'�^9*<��� 45�vi��#�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �nZ��3��o*��Z�6��5�n��8�5��,��t�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.7320039013826225,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f93b3955d2705f1d127c7d581d7878627064fa85",
"event_fingerprint": "02434d2e60f4de8ddfb8738f2a4e125d2d8704ba",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "9e82d94eae388243d8eb88509d39d645",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n.+<\u0003\u001a\ufffd\u0003\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\u0013\ucbd34h\u0017{n\ufffd \ufffd\u061e\ufffd\ufffda*\fO\ufffdSC\u001ba'\ufffd^9*<\u0014\u0000\ufffd 45\ufffdvi\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n.+<\u0003\u001a\ufffd\u0003\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\u0013\ucbd34h\u0017{n\ufffd \ufffd\u061e\ufffd\ufffda*\fO\ufffdSC\u001ba'\ufffd^9*<\u0014\u0000\ufffd 45\ufffdvi\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdnZ\u0018\ufffd3\ufffd\ufffdo*\ufffd\u0019Z\ufffd6\ufffd\ufffd5\ufffdn\ufffd\ufffd8\ufffd5\ufffd\ufffd,\ufffd\ufffdt\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n.+<\u0003\u001a\ufffd\u0003\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\u0013\ucbd34h\u0017{n\ufffd \ufffd\u061e\ufffd\ufffda*\fO\ufffdSC\u001ba'\ufffd^9*<\u0014\u0000\ufffd 45\ufffdvi\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26fcc09a9584b4941f2e80427907c57dc9947121",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n.+<\u0003\u001a\ufffd\u0003\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\u0013\ucbd34h\u0017{n\ufffd \ufffd\u061e\ufffd\ufffda*\fO\ufffdSC\u001ba'\ufffd^9*<\u0014\u0000\ufffd 45\ufffdvi\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\n.+<\ufffd\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\ucbd34h{n\ufffd \ufffd\u061e\ufffd\ufffda*O\ufffdSCa'\ufffd^9*<\ufffd 45\ufffdvi\ufffd\ufffd#&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n.+<\u0003\u001a\ufffd\u0003\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\u0013\ucbd34h\u0017{n\ufffd \ufffd\u061e\ufffd\ufffda*\fO\ufffdSC\u001ba'\ufffd^9*<\u0014\u0000\ufffd 45\ufffdvi\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\n.+<\ufffd\ufffdMi\ufffd\ufffd\ufffd\ufffde:\ufffd\ufffd2<\ufffd\ucbd34h{n\ufffd \ufffd\u061e\ufffd\ufffda*O\ufffdSCa'\ufffd^9*<\ufffd 45\ufffdvi\ufffd\ufffd#&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������jb�('�=�g'��2���V���*��b�,�c0, ڃƧGÌ*6�;���9����m�7����/�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������jb�('�=�g'��2���V���*��b�,�c0, ڃƧGÌ*6�;���9����m�7����/�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������jb�('�=�g'��2���V���*��b�,�c0, ڃƧGÌ*6�;���9����m�7����/�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �Iř>�_�te�(�������ZK{(��7�pTp
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.794209046070543,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f93b3955d2705f1d127c7d581d7878627064fa85",
"event_fingerprint": "02434d2e60f4de8ddfb8738f2a4e125d2d8704ba",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "b734a2113881989033bf4903f16f9df8",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jb\ufffd('\u0001=\ufffdg'\ufffd\ufffd2\ufffd\u0010\ufffdV\u001f\u0018\ufffd*\ufffd\ufffdb\ufffd,\u0000c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffd\u0000\u0011m\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jb\ufffd('\u0001=\ufffdg'\ufffd\ufffd2\ufffd\u0010\ufffdV\u001f\u0018\ufffd*\ufffd\ufffdb\ufffd,\u0000c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffd\u0000\u0011m\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdI\u0159>\ufffd_\ufffdte\ufffd(\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZK{(\u0019\u00037\ufffdpTp",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jb\ufffd('\u0001=\ufffdg'\ufffd\ufffd2\ufffd\u0010\ufffdV\u001f\u0018\ufffd*\ufffd\ufffdb\ufffd,\u0000c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffd\u0000\u0011m\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "68fad8ed28f0d800fbb3b22b2ebe9af21011cafe",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jb\ufffd('\u0001=\ufffdg'\ufffd\ufffd2\ufffd\u0010\ufffdV\u001f\u0018\ufffd*\ufffd\ufffdb\ufffd,\u0000c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffd\u0000\u0011m\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdjb\ufffd('=\ufffdg'\ufffd\ufffd2\ufffd\ufffdV\ufffd*\ufffd\ufffdb\ufffd,c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffdm\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003jb\ufffd('\u0001=\ufffdg'\ufffd\ufffd2\ufffd\u0010\ufffdV\u001f\u0018\ufffd*\ufffd\ufffdb\ufffd,\u0000c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffd\u0000\u0011m\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdjb\ufffd('=\ufffdg'\ufffd\ufffd2\ufffd\ufffdV\ufffd*\ufffd\ufffdb\ufffd,c0, \u0683\u01a7G\u00cc*6\ufffd;\ufffd\ufffd\ufffd9\ufffd\ufffdm\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�������������HN��^6N.�:1� 9}�kc�u�G�R��w�P� ����}����w�7VN�$Py<qk�.�"l����\�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������HN��^6N.�:1� 9}�kc�u�G�R��w�P� ����}����w�7VN�$Py<qk�.�"l����\�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������HN��^6N.�:1� 9}�kc�u�G�R��w�P� ����}����w�7VN�$Py<qk�.�"l����\�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �#ff��X(�/�)���|���V��!�M���6��
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.824727907864579,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f93b3955d2705f1d127c7d581d7878627064fa85",
"event_fingerprint": "02434d2e60f4de8ddfb8738f2a4e125d2d8704ba",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "71a29cde8dd0af3ee4e3475744b6a0d7",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdG\u0006R\ufffd\u001aw\u0007P\ufffd \ufffd\u0016\ufffd\ufffd}\ufffd\ufffd\u0003\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\u0016\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdG\u0006R\ufffd\u001aw\u0007P\ufffd \ufffd\u0016\ufffd\ufffd}\ufffd\ufffd\u0003\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\u0016\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0003#ff\u0012\ufffdX(\ufffd\/\ufffd)\ufffd\ufffd\ufffd|\u0003\ufffd\ufffdV\ufffd\ufffd!\ufffdM\ufffd\ufffd\ufffd6\ufffd\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdG\u0006R\ufffd\u001aw\u0007P\ufffd \ufffd\u0016\ufffd\ufffd}\ufffd\ufffd\u0003\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\u0016\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "645a75f82e058843e22dd5adff91ede9d0e67e12",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdG\u0006R\ufffd\u001aw\u0007P\ufffd \ufffd\u0016\ufffd\ufffd}\ufffd\ufffd\u0003\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\u0016\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdGR\ufffdwP\ufffd \ufffd\ufffd\ufffd}\ufffd\ufffd\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\\&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdG\u0006R\ufffd\u001aw\u0007P\ufffd \ufffd\u0016\ufffd\ufffd}\ufffd\ufffd\u0003\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\u0016\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdHN\ufffd\ufffd^6N.\ufffd:1\ufffd\t9}\ufffdkc\ufffdu\ufffdGR\ufffdwP\ufffd \ufffd\ufffd\ufffd}\ufffd\ufffd\ufffdw\ufffd7VN\ufffd$Py<qk\ufffd.\ufffd\"l\ufffd\ufffd\ufffd\\&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������ɲYT�v���l�=*��o��7B�Gcx� ��б� ��_3�ck���.S�x O&���E�8Ur8&=�i���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ɲYT�v���l�=*��o��7B�Gcx�
��б� ��_3�ck���.S�x�O&���E�8Ur8&=�i���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ɲYT�v���l�=*��o��7B�Gcx� ��б� ��_3�ck���.S�x O&���E�8Ur8&=�i���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 5��8~��i��|���R�Nٱu ���S��w����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.791777027917092,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f93b3955d2705f1d127c7d581d7878627064fa85",
"event_fingerprint": "02434d2e60f4de8ddfb8738f2a4e125d2d8704ba",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "06c8c5e4b1f45ea25c700d4ccf5f05df",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0272YT\ufffdv\ufffd\u0017\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7B\u0002Gcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3\u0000ck\u0010\ufffd\ufffd.S\ufffdx\fO&\ufffd\u0000\u001eE\ufffd8Ur8&=\ufffdi\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0272YT\ufffdv\ufffd\u0017\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7B\u0002Gcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3\u0000ck\u0010\ufffd\ufffd.S\ufffdx\fO&\ufffd\u0000\u001eE\ufffd8Ur8&=\ufffdi\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 5\ufffd\ufffd8~\ufffd\ufffdi\u0017\ufffd|\ufffd\u0015\ufffdR\ufffdN\u0671u\r\ufffd\ufffd\ufffdS\u0017\ufffdw\ufffd\ufffd\ufffd\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0272YT\ufffdv\ufffd\u0017\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7B\u0002Gcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3\u0000ck\u0010\ufffd\ufffd.S\ufffdx\fO&\ufffd\u0000\u001eE\ufffd8Ur8&=\ufffdi\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9d38373fc5d458b2d1dbc7bdad08c636e850d1c3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0272YT\ufffdv\ufffd\u0017\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7B\u0002Gcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3\u0000ck\u0010\ufffd\ufffd.S\ufffdx\fO&\ufffd\u0000\u001eE\ufffd8Ur8&=\ufffdi\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u0272YT\ufffdv\ufffd\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7BGcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3ck\ufffd\ufffd.S\ufffdxO&\ufffdE\ufffd8Ur8&=\ufffdi\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0272YT\ufffdv\ufffd\u0017\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7B\u0002Gcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3\u0000ck\u0010\ufffd\ufffd.S\ufffdx\fO&\ufffd\u0000\u001eE\ufffd8Ur8&=\ufffdi\u0004\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\u0272YT\ufffdv\ufffd\ufffdl\ufffd=*\ufffd\ufffdo\ufffd\ufffd7BGcx\ufffd\n\ufffd\ufffd\u0431\ufffd \ufffd\ufffd_3ck\ufffd\ufffd.S\ufffdxO&\ufffdE\ufffd8Ur8&=\ufffdi\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
��������������WUx�;�(1Iq[����5M.�B%����t�� �<�H<�y���;����8���4#�=�P��� G��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������WUx�;�(1Iq[����5M.�B%����t�� �<�H<�y���;����8���4#�=�P����G��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������WUx�;�(1Iq[����5M.�B%����t�� �<�H<�y���;����8���4#�=�P��� G��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���8��B��Ss���vj�B~�\Rpa�!���+h
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.834164974635453,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f93b3955d2705f1d127c7d581d7878627064fa85",
"event_fingerprint": "02434d2e60f4de8ddfb8738f2a4e125d2d8704ba",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "bdbe7d65edac09e4d516b1666eafb3f6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\u0013\u0004\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\u001d\ufffd \ufffd<\u000fH<\ufffdy\ufffd\ufffd\u0004;\ufffd\u001c\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\u0015\ufffd\u000bG\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\u0013\u0004\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\u001d\ufffd \ufffd<\u000fH<\ufffdy\ufffd\ufffd\u0004;\ufffd\u001c\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\u0015\ufffd\u000bG\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0002\ufffd8\ufffd\ufffdB\ufffd\ufffdSs\ufffd\ufffd\ufffdvj\ufffdB~\u0000\\Rpa\ufffd!\ufffd\ufffd\ufffd+h",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\u0013\u0004\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\u001d\ufffd \ufffd<\u000fH<\ufffdy\ufffd\ufffd\u0004;\ufffd\u001c\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\u0015\ufffd\u000bG\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "35b031213c018050ec33300246d0479cab6016b0",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\u0013\u0004\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\u001d\ufffd \ufffd<\u000fH<\ufffdy\ufffd\ufffd\u0004;\ufffd\u001c\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\u0015\ufffd\u000bG\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\ufffd \ufffd<H<\ufffdy\ufffd\ufffd;\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\u0013\u0004\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\u001d\ufffd \ufffd<\u000fH<\ufffdy\ufffd\ufffd\u0004;\ufffd\u001c\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\u0015\ufffd\u000bG\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdWUx\ufffd;\ufffd(1Iq[\ufffd\ufffd5M.\ufffdB%\ufffd\ufffd\ufffd\ufffdt\ufffd \ufffd<H<\ufffdy\ufffd\ufffd;\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffd4#\ufffd=\ufffdP\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
������������$>��Ig���.U��u����_����l-u����� �Ҩ��o�O�LS��7�����Ӻ�O��B��C����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������$>��Ig���.U��u����_����l-u����� �Ҩ��o�O�LS��7�����Ӻ�O��B��C����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������$>��Ig���.U��u����_����l-u����� �Ҩ��o�O�LS��7�����Ӻ�O��B��C����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��T�FN�\a�F��9�k����y�s�� ��#�;�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.941482063244704,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f93b3955d2705f1d127c7d581d7878627064fa85",
"event_fingerprint": "02434d2e60f4de8ddfb8738f2a4e125d2d8704ba",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "0a9832a42b58eea6bb5c6a0915f59206",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS\u001d\u000f7\ufffd\u0014\u0013\ufffd\u001c\u04fa\ufffdO\ufffd\ufffdB\u001b\ufffdC\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS\u001d\u000f7\ufffd\u0014\u0013\ufffd\u001c\u04fa\ufffdO\ufffd\ufffdB\u001b\ufffdC\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdT\ufffdFN\ufffd\\a\ufffdF\ufffd\ufffd9\ufffdk\ufffd\ufffd\ufffd\ufffdy\ufffds\ufffd\u0006\n\ufffd\u0015#\ufffd;\u001b",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS\u001d\u000f7\ufffd\u0014\u0013\ufffd\u001c\u04fa\ufffdO\ufffd\ufffdB\u001b\ufffdC\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b5b8d282a04167128ef8a8b4a63976293027af8d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS\u001d\u000f7\ufffd\u0014\u0013\ufffd\u001c\u04fa\ufffdO\ufffd\ufffdB\u001b\ufffdC\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS7\ufffd\ufffd\u04fa\ufffdO\ufffd\ufffdB\ufffdC\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS\u001d\u000f7\ufffd\u0014\u0013\ufffd\u001c\u04fa\ufffdO\ufffd\ufffdB\u001b\ufffdC\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd$>\ufffd\ufffdIg\ufffd\ufffd\ufffd.U\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdl-u\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\u04a8\ufffd\ufffdo\ufffdO\ufffdLS7\ufffd\ufffd\u04fa\ufffdO\ufffd\ufffdB\ufffdC\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.backup
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.backup UA Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.backup
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.backup
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.backup HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3068.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.backup HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML,
Requête brute (extrait)
GET /app/.env.backup HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3068.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "backup",
"http_ua_hash": "6aa32c21445bb06039622edb882423a812b5d4a6",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "b42013d9fc6faf7024bf195a915bf9a177806a2f",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 242,
"payload_entropy": 5.42770579619936,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "a3c77d98a83616ff445161b77ff10fd738a0cf2b",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "316828e57dcabf29c30aa1f43b70a4d6",
"payload_hash": "16ce1bd6c813a4aae307e0087e820522",
"path_pattern_hash": "114733505d40fc8a9280b409ddd76598"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML,",
"method": "GET",
"path": "\/app\/.env.backup",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3068.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.backup HTTP\/1.1",
"request_sample": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3068.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/app\/.env.backup",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3068.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.backup HTTP\/1.1",
"request_sample": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3068.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML,",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b2434ea5e72d3d1b1f272b41c5e3a22e9d0c0943",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.backup",
"request_line": "GET \/app\/.env.backup HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3068.0 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML,",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.backup",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.backup",
"request_line": "GET \/app\/.env.backup HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3068.0 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.backup",
"evidence_snippet": "GET \/app\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; WOW64) AppleWebKit\/537.36 (KHTML,",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.production
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.production UA DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/…
Émulateur
HTTP
WAF
33
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/app/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.production
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /app/.env.production HTTP/1.1
User-Agent
DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html)
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.production HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mo
Requête brute (extrait)
GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: DoCoMo/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile/2.1; http://www.google.com/bot.html) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "a31c702bdfef09fd7eae66cc20deec71c01755fe",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "9f1a3b476954729097b55b44dc605e9187baaeeb",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 239,
"payload_entropy": 5.282987115231371,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "ac91ea62cda83265b925c19e26799e18c7e31588",
"event_fingerprint": "199225aa4beaf0afcd214b343478bb978007fe57",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ffdb5771031def79d8934f61136d7094",
"payload_hash": "0a458f4b2c38764ec4f6c05e511e9f66",
"path_pattern_hash": "129b91fce99c27e6763c24ece35d5295"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mo",
"method": "GET",
"path": "\/app\/.env.production",
"user_agent": "DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.production HTTP\/1.1",
"request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mo",
"evidence": {
"method": "GET",
"path": "\/app\/.env.production",
"user_agent": "DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.production HTTP\/1.1",
"request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mo",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6993371064a55d972da636ac2fb9fa339fc5dab9",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.production",
"request_line": "GET \/app\/.env.production HTTP\/1.1",
"http_user_agent": "DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mo",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.production",
"request_line": "GET \/app\/.env.production HTTP\/1.1",
"http_user_agent": "DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mobile\/2.1; http:\/\/www.google.com\/bot.html)",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production",
"evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: DoCoMo\/2.0 N905i(c100;TB;W24H16) (compatible; Googlebot-Mo",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�������������P�L��h1����� � ~��)H̵�%��n�Z7 (y�(�L�w � �Y|��������y���Q��=0{�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������P�L��h1�����
� ~��)H̵�%��n�Z7 (y�(�L�w��
�Y|��������y���Q��=0{�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������P�L��h1����� � ~��)H̵�%��n�Z7 (y�(�L�w � �Y|��������y���Q��=0{�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �n�Y�� �m�8�P�� �����ٛT���7�P�8
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.847138781268882,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "db9dc885ad29179897f64d8b55d86aff",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd\u0002)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\f\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\u0011\ufffd\u0003Q\ufffd\ufffd=0{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd\u0002)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\f\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\u0011\ufffd\u0003Q\ufffd\ufffd=0{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdn\ufffdY\ufffd\ufffd\n\u0001m\ufffd8\ufffdP\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\u0003\ufffd\u065bT\ufffd\ufffd\ufffd7\ufffdP\ufffd8",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd\u0002)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\f\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\u0011\ufffd\u0003Q\ufffd\ufffd=0{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3302bf4ec4f65791339a60a2e260dd710b33a3fe",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd\u0002)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\f\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\u0011\ufffd\u0003Q\ufffd\ufffd=0{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdQ\ufffd\ufffd=0{&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd\u0002)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\f\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\u0011\ufffd\u0003Q\ufffd\ufffd=0{\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdP\ufffdL\ufffd\ufffdh1\ufffd\ufffd\ufffd\ufffd\ufffd\n\ufffd ~\ufffd)H\u0335\ufffd%\ufffd\ufffdn\ufffdZ7 (y\ufffd(\ufffdL\ufffdw\ufffd\r\ufffdY|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy\ufffdQ\ufffd\ufffd=0{&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.old
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.old UA Mozilla/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit/537.3…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.old
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.old
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.old HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
leak-8
Payload (extrait)
GET /app/.env.old HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit/537.36
Requête brute (extrait)
GET /app/.env.old HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "old",
"http_ua_hash": "e8b1c69e533ecd2a1b85bb980977e549cc580593",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "ad318b5cc7cc0c1bf7e3b724fbebccf0a8e6ad42",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 257,
"payload_entropy": 5.386021138640453,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "965bb0aa7e1ea67a9152365df31ae391073a8436",
"event_fingerprint": "eab6cb243861c8aab78df4f959e24f464630399b",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "81a00c8ffee4949501a740c797596054",
"payload_hash": "8c215da755ddb831a0e9523c0ebe04cf",
"path_pattern_hash": "8ac2cfa932003fc4c8032f73eb2729b9"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 ",
"method": "GET",
"path": "\/app\/.env.old",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8"
],
"request_line": "GET \/app\/.env.old HTTP\/1.1",
"request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36",
"evidence": {
"method": "GET",
"path": "\/app\/.env.old",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8"
],
"request_line": "GET \/app\/.env.old HTTP\/1.1",
"request_sample": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21412921bfefcc0008e4f285f8a71d54f9675b58",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.old",
"request_line": "GET \/app\/.env.old HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.old",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.old",
"request_line": "GET \/app\/.env.old HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.old",
"evidence_snippet": "GET \/app\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; vivo 1807) AppleWebKit\/537.36",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"http_backup_file_scan",
"http_backup_path",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�������������Z�����|��p-{9m���������>�U��L� �q'�������a|�L7���Lu_���\�2�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������Z�����|��p-{9m���������>�U��L� �q'�������a|�L7���Lu_���\�2�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������Z�����|��p-{9m���������>�U��L� �q'�������a|�L7���Lu_���\�2�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ?��G�w�����C����w���������+x��m
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.841310852786737,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "07c34d1d6b0913a6a0c330c99741bdb7",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdZ\ufffd\u0017\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd>\u0019U\u0016\ufffdL\u001e \ufffdq'\ufffd\ufffd\u001d\ufffd\u0013\ufffd\ufffda|\ufffdL7\ufffd\ufffd\u0017Lu_\ufffd\ufffd\ufffd\\\u00112\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdZ\ufffd\u0017\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd>\u0019U\u0016\ufffdL\u001e \ufffdq'\ufffd\ufffd\u001d\ufffd\u0013\ufffd\ufffda|\ufffdL7\ufffd\ufffd\u0017Lu_\ufffd\ufffd\ufffd\\\u00112\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ?\u0012\u001eG\ufffdw\ufffd\u000e\u0014\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+x\ufffd\u0011m",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdZ\ufffd\u0017\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd>\u0019U\u0016\ufffdL\u001e \ufffdq'\ufffd\ufffd\u001d\ufffd\u0013\ufffd\ufffda|\ufffdL7\ufffd\ufffd\u0017Lu_\ufffd\ufffd\ufffd\\\u00112\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8c58b3b6103f0067109a37dd70284173e65e8b85",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdZ\ufffd\u0017\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd>\u0019U\u0016\ufffdL\u001e \ufffdq'\ufffd\ufffd\u001d\ufffd\u0013\ufffd\ufffda|\ufffdL7\ufffd\ufffd\u0017Lu_\ufffd\ufffd\ufffd\\\u00112\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>U\ufffdL \ufffdq'\ufffd\ufffd\ufffd\ufffd\ufffda|\ufffdL7\ufffd\ufffdLu_\ufffd\ufffd\ufffd\\2\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdZ\ufffd\u0017\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffd>\u0019U\u0016\ufffdL\u001e \ufffdq'\ufffd\ufffd\u001d\ufffd\u0013\ufffd\ufffda|\ufffdL7\ufffd\ufffd\u0017Lu_\ufffd\ufffd\ufffd\\\u00112\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffdp-{9m\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd>U\ufffdL \ufffdq'\ufffd\ufffd\ufffd\ufffd\ufffda|\ufffdL7\ufffd\ufffdLu_\ufffd\ufffd\ufffd\\2\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
��������������@n0��s����KT�F�M�h��]����i�V �P^��Y�ܩ ��J��p��A�№զ�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������@n0��s����KT�F�M�h��]����i�V �P^��Y�ܩ���J��p��A�№զ�������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������@n0��s����KT�F�M�h��]����i�V �P^��Y�ܩ ��J��p��A�№զ�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���n-�?nR���,FJ�;�$P�y̴�����K
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.840374125853987,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "e84200676ac399cdc2abc263f398cb03",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@n0\u0006\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffd\u001fi\ufffdV \ufffdP^\u0011\ufffdY\ufffd\u0729\u000b\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\u0016\u001b\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@n0\u0006\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffd\u001fi\ufffdV \ufffdP^\u0011\ufffdY\ufffd\u0729\u000b\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\u0016\u001b\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdn-\ufffd?nR\u0016\ufffd\ufffd,FJ\ufffd;\ufffd$P\ufffdy\u0334\ufffd\ufffd\u0006\ufffd\ufffdK\u000b",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@n0\u0006\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffd\u001fi\ufffdV \ufffdP^\u0011\ufffdY\ufffd\u0729\u000b\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\u0016\u001b\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d8436da9e6cacda94547bbfebc4c1c2dc4e380a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@n0\u0006\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffd\u001fi\ufffdV \ufffdP^\u0011\ufffdY\ufffd\u0729\u000b\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\u0016\u001b\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd@n0\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffdi\ufffdV \ufffdP^\ufffdY\ufffd\u0729\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@n0\u0006\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffd\u001fi\ufffdV \ufffdP^\u0011\ufffdY\ufffd\u0729\u000b\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\u0016\u001b\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd@n0\ufffds\ufffd\ufffd\ufffd\ufffdKT\ufffdF\ufffdM\ufffdh\ufffd\ufffd]\ufffd\ufffd\ufffdi\ufffdV \ufffdP^\ufffdY\ufffd\u0729\ufffd\ufffdJ\ufffd\ufffdp\ufffd\ufffdA\ufffd\u2116\u0566\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������Z�N~d��'��7R���L��ڞ��I�b�/*�dJ �SN��`B�T`'܄���&�6W�5?����o���X�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Z�N~d��'��7R���L��ڞ��I�b�/*�dJ �SN��`B�T`'܄���&�6W�5?����o���X�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Z�N~d��'��7R���L��ڞ��I�b�/*�dJ �SN��`B�T`'܄���&�6W�5?����o���X�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���e ����j��]Ȼq����Љ�d�Ϧ�Z�/�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.849741619400129,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "5ccf29afcde83ab1fc9b374d783e40a4",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\u0014\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\u000f\ufffd`B\ufffdT`'\u0704\ufffd\u0016\ufffd&\ufffd6W\u00115?\u001a\u001b\ufffd\u0019o\ufffd\ufffd\ufffdX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\u0014\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\u000f\ufffd`B\ufffdT`'\u0704\ufffd\u0016\ufffd&\ufffd6W\u00115?\u001a\u001b\ufffd\u0019o\ufffd\ufffd\ufffdX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0004\ufffd\u0017e\t\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd]\u023bq\ufffd\u001a\ufffd\ufffd\u0409\ufffdd\ufffd\u03e6\u0005Z\ufffd\/\u0005",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\u0014\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\u000f\ufffd`B\ufffdT`'\u0704\ufffd\u0016\ufffd&\ufffd6W\u00115?\u001a\u001b\ufffd\u0019o\ufffd\ufffd\ufffdX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "72980dda6eb86ec6a5b4dcc20aa227f0393a750d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\u0014\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\u000f\ufffd`B\ufffdT`'\u0704\ufffd\u0016\ufffd&\ufffd6W\u00115?\u001a\u001b\ufffd\u0019o\ufffd\ufffd\ufffdX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdZ\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\ufffd`B\ufffdT`'\u0704\ufffd\ufffd&\ufffd6W5?\ufffdo\ufffd\ufffd\ufffdX&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Z\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\u0014\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\u000f\ufffd`B\ufffdT`'\u0704\ufffd\u0016\ufffd&\ufffd6W\u00115?\u001a\u001b\ufffd\u0019o\ufffd\ufffd\ufffdX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdZ\ufffdN~d\ufffd\ufffd'\ufffd\ufffd7R\ufffd\ufffdL\ufffd\ufffd\u069e\ufffd\ufffdI\ufffdb\ufffd\/*\ufffddJ \ufffdSN\ufffd`B\ufffdT`'\u0704\ufffd\ufffd&\ufffd6W5?\ufffdo\ufffd\ufffd\ufffdX&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.prod
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.prod UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.prod
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.prod
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.prod HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3436.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.prod HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH
Requête brute (extrait)
GET /app/.env.prod HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3436.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "prod",
"http_ua_hash": "c1829e33905e469435482d5a99cb1058fc3c4be7",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "ee922ae5907bc48e4659f274d485f8c67812795b",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 246,
"payload_entropy": 5.39665940819746,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "f4f52494a2025db4ce981ddc10708d6ed9e11add",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "0744a14798456c3620dc800647d69ee1",
"payload_hash": "81560a6ec950c7c5ccecf2db3e8a2698",
"path_pattern_hash": "22e14c6f65ce5c9bdbd96012d1745d82"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH",
"method": "GET",
"path": "\/app\/.env.prod",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.prod HTTP\/1.1",
"request_sample": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH",
"evidence": {
"method": "GET",
"path": "\/app\/.env.prod",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.prod HTTP\/1.1",
"request_sample": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4e60ced1853dfd611625884f08d47759e8f6bf1d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.prod",
"request_line": "GET \/app\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.prod",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.prod",
"request_line": "GET \/app\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/68.0.3436.0 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.prod",
"evidence_snippet": "GET \/app\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /backend/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.env UA Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Fi…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/backend/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/backend/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Fire
Requête brute (extrait)
GET /backend/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "4b27a0268bf93c1e4b2b976844a1f4a3fdd20a09",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "43427b722c17a9a0bc6fc425a8ca9501d2c985f0",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 205,
"payload_entropy": 5.335204829263596,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "9ff1977c4ced4e047e78e7550199945408b2c36e",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4d71a08bb91ca206c6eecf652da5072e",
"payload_hash": "56a70e139f471578815093af2aad2c0b",
"path_pattern_hash": "1ffd9afa4ff51d558fbb13c458726c9c"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Fire",
"method": "GET",
"path": "\/backend\/.env",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env HTTP\/1.1",
"request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Fire",
"evidence": {
"method": "GET",
"path": "\/backend\/.env",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env HTTP\/1.1",
"request_sample": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Fire",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e703050dfa80bea0a91eafe0363a7f87b4ca800f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env",
"request_line": "GET \/backend\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Fire",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env",
"request_line": "GET \/backend\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env",
"evidence_snippet": "GET \/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Fire",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.dev
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.dev UA Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.dev
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.dev
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.dev HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (like Gecko)
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.dev HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (l
Requête brute (extrait)
GET /app/.env.dev HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.1; DragonFly) KHTML/4.1.4 (like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "dev",
"http_ua_hash": "36fc4936c411643d458a64d63c5ab50f2c908934",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "df5aa2d688155147d78025f13efee7d00a0eafd8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 207,
"payload_entropy": 5.343783219133884,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "2ad79d13f7ac7901febe6778eeefde3025c166c4",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ac64501d484e63341622d347e4b64d8c",
"payload_hash": "edfd17f0cf322ecf26a5bef607199514",
"path_pattern_hash": "80cfd304d2c6517de5f460ebde85ca3d"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (l",
"method": "GET",
"path": "\/app\/.env.dev",
"user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (l",
"evidence": {
"method": "GET",
"path": "\/app\/.env.dev",
"user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"request_sample": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (l",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8daad9f480a3f02fa91424ecac26c7b69740935c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.dev",
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (l",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.dev",
"request_line": "GET \/app\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (like Gecko)",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.dev",
"evidence_snippet": "GET \/app\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.1; DragonFly) KHTML\/4.1.4 (l",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.staging
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.staging UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.staging
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.staging
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.staging HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/.env.staging HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/53
Requête brute (extrait)
GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "staging",
"http_ua_hash": "a9c9131f21bbd498611e10f71331c7dd5e9f7d05",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "e84f59fbbec8a04fdfc3078fbdf0ae4fd69640c6",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 252,
"payload_entropy": 5.394137409018094,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "47444f1cfe0fc1660ae68c41f0a4225c0239d793",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "171b677823d70df4d8448ff04ae83405",
"payload_hash": "696009d04d41e69f90d51a775a236fbb",
"path_pattern_hash": "5a281530de78ccf813317373171371c8"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/53",
"method": "GET",
"path": "\/app\/.env.staging",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/53",
"evidence": {
"method": "GET",
"path": "\/app\/.env.staging",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/53",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0453fa85303b67b0e20672c3751744579efd7c45",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.staging",
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/53",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.staging",
"request_line": "GET \/app\/.env.staging HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/535.7 (KHTML, like Gecko) Chrome\/16.0.912.36 Safari\/535.7",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging",
"evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit\/53",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/backend/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/backend/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/backend/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/backend/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/backend/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/backend/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/6
Requête brute (extrait)
GET /app/backend/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "12e61ede4f75e40b24f2a993128b866dcbbd1476",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "97ef8b86f35b56a86d5dbe6549b6162a1d5ef49e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 255,
"payload_entropy": 5.3570102540586335,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "10210c72a7876c3fe5d3f20069241dcc3a4084fc",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c4309eabdc0307906b00671cce766eeb",
"payload_hash": "d410b7e24ea9c7e41aef999b0a58167e",
"path_pattern_hash": "288b39c98eb1f440a224c00537d9552f"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/6",
"method": "GET",
"path": "\/app\/backend\/.env",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/backend\/.env HTTP\/1.1",
"request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/6",
"evidence": {
"method": "GET",
"path": "\/app\/backend\/.env",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/backend\/.env HTTP\/1.1",
"request_sample": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/6",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "29f090b376b6d0b2c7de1b40f7761cde9150ab7b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/backend\/.env",
"request_line": "GET \/app\/backend\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/6",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/backend\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/backend\/.env",
"request_line": "GET \/app\/backend\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.3 Safari\/605.1.15",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/backend\/.env",
"evidence_snippet": "GET \/app\/backend\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/6",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/.env.bak
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/.env.bak UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/.env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/.env.bak
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/.env.bak HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.99
Règles WAF
rce-0
nosqli-3
leak-1
leak-8
Payload (extrait)
GET /app/.env.bak HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTM
Requête brute (extrait)
GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.99 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "bak",
"http_ua_hash": "5ea74cb7b4a5df5598af1b2c7eadcbe3cc4c7bc0",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "675fe9576f3ec7add08a15dd0c540b55e5bbfdec",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.451013159761202,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "965bb0aa7e1ea67a9152365df31ae391073a8436",
"event_fingerprint": "dd99369a2d4c21abb0cd5e28cdd2ecf6d87fd9fe",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "2f2b37816ce27d6344de9867c116bb73",
"payload_hash": "93f48af654a09eb8322442e58a82fe45",
"path_pattern_hash": "a68a9dfeaee6097716a18c2b9f43c5f9"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTM",
"method": "GET",
"path": "\/app\/.env.bak",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.99",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8"
],
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.99\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTM",
"evidence": {
"method": "GET",
"path": "\/app\/.env.bak",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.99",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"leak-8"
],
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/62.0.3331.99\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTM",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4dcf259d0fab3481cff67f9627f402a78ab8c630",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.bak",
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTM",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/.env.bak",
"request_line": "GET \/app\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36 OPR\/\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak",
"evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTM",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"http_backup_file_scan",
"http_backup_path",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /app/api/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /app/api/.env UA Mozilla/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build/NMF26F) …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/app/api/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/app/api/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /app/api/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build/NMF26F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /app/api/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build/NMF26F) Ap
Requête brute (extrait)
GET /app/api/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build/NMF26F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Co
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "e76fcebbc4f4f8d15a613a3a9be81b65eb02b08b",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "a26af0cb127afb7f53aace7ab18a175b4d8a51bd",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 275,
"payload_entropy": 5.42001451409713,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "391cf6307ecfdf747610de2eabc90f4ac65a2060",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "7d910f5df455af37169d193ccfdc90dc",
"payload_hash": "a7a431b1c5bc92109e8628011cf8c983",
"path_pattern_hash": "9328998b0872bf59d928235746a301f6"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) Ap",
"method": "GET",
"path": "\/app\/api\/.env",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) Ap",
"evidence": {
"method": "GET",
"path": "\/app\/api\/.env",
"user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"request_sample": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCo",
"payload_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) Ap",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4b74c01e7068fa79ac175d8f086d09d31e840705",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/api\/.env",
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) Ap",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/api\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/app\/api\/.env",
"request_line": "GET \/app\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/api\/.env",
"evidence_snippet": "GET \/app\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Coolpad 3632A Build\/NMF26F) Ap",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8260 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
������������s���:�LkZ��@(�,�!p2֊&�����ন[ �)V���J-���)�2$7��Ek*�1�4�t������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������s���:�LkZ��@(�,�!p2֊&�����ন[ �)V���J-���)�2$7��Ek*�1�4�t������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������s���:�LkZ��@(�,�!p2֊&�����ন[ �)V���J-���)�2$7��Ek*�1�4�t������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �K�������l����� �����a�B���S��\[
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.881554332355577,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "960b80583250345444c1f690af4bdf04",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(\u000f,\ufffd!p2\u058a&\u001b\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)\u00172$7\ufffd\u001dEk*\ufffd1\ufffd4\u001bt\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(\u000f,\ufffd!p2\u058a&\u001b\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)\u00172$7\ufffd\u001dEk*\ufffd1\ufffd4\u001bt\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdK\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\ufffdl\u000e\ufffd\ufffd\ufffd\u0006\t\ufffd\ufffd\ufffd\ufffd\u001aa\ufffdB\u0018\ufffd\ufffdS\u000f\ufffd\\[",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(\u000f,\ufffd!p2\u058a&\u001b\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)\u00172$7\ufffd\u001dEk*\ufffd1\ufffd4\u001bt\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "abbd2b1f2ab506efa707efd49854e391b0a6d806",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(\u000f,\ufffd!p2\u058a&\u001b\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)\u00172$7\ufffd\u001dEk*\ufffd1\ufffd4\u001bt\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(,\ufffd!p2\u058a&\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)2$7\ufffdEk*\ufffd1\ufffd4t\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(\u000f,\ufffd!p2\u058a&\u001b\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)\u00172$7\ufffd\u001dEk*\ufffd1\ufffd4\u001bt\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd:\ufffdLkZ\ufffd\ufffd@(,\ufffd!p2\u058a&\ufffd\ufffd\ufffd\ufffd\u09a8[ \ufffd)V\ufffd\ufffd\ufffdJ-\ufffd\ufffd\ufffd)2$7\ufffdEk*\ufffd1\ufffd4t\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /backend/.env.prod
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.env.prod UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/backend/.env.prod
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/backend/.env.prod
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.env.prod HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/.env.prod HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, l
Requête brute (extrait)
GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "prod",
"http_ua_hash": "9a89dda9fa23de8e7b4fe7caa64fca4b59e86421",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "ece1b00dd116de2d5cd1e616b647fb67b7d3b035",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 242,
"payload_entropy": 5.440985668024739,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "270abd2cde49bed1d0fa2a75de3c46266945853b",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "003ca088bf8ea1caa86a10d8157d5043",
"payload_hash": "7dd4cadeb98b01b4bbf3bce951ac22c8",
"path_pattern_hash": "06b37c283e0032a53442bbe10821cfeb"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, l",
"method": "GET",
"path": "\/backend\/.env.prod",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.prod HTTP\/1.1",
"request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, l",
"evidence": {
"method": "GET",
"path": "\/backend\/.env.prod",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.prod HTTP\/1.1",
"request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, l",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1623cca77477a4ecaedfaaa5fc4c918061407ca9",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.prod",
"request_line": "GET \/backend\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, l",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.prod",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.prod",
"request_line": "GET \/backend\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.117 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.prod",
"evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, l",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /backend/.env.dev
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.env.dev UA Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTM…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/backend/.env.dev
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/backend/.env.dev
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.env.dev HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/.env.dev HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (K
Requête brute (extrait)
GET /backend/.env.dev HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) lt-GtkLauncher Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "dev",
"http_ua_hash": "d5b836205f4abee6a0fa02e202e4eb231d50b1a4",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "6d43a22facf5bd0b2b7f81b2645be87ea2a8a4a1",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 244,
"payload_entropy": 5.3615953438897055,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "ebdd2abf03e95035edcfd6b02955cabb31858906",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "2eb51026680a82596c3101bb0484ba19",
"payload_hash": "cb757701a6547a5b393d3fd35baadefa",
"path_pattern_hash": "361efd67c8cb82623bb332a9d4f55268"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (K",
"method": "GET",
"path": "\/backend\/.env.dev",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.dev HTTP\/1.1",
"request_sample": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (K",
"evidence": {
"method": "GET",
"path": "\/backend\/.env.dev",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.dev HTTP\/1.1",
"request_sample": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (K",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "589399b1d29cabd85d360dade6126397be773ade",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.dev",
"request_line": "GET \/backend\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (K",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.dev",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.dev",
"request_line": "GET \/backend\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (KHTML, like Gecko, Safari\/528.5 ) lt-GtkLauncher",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.dev",
"evidence_snippet": "GET \/backend\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-us) AppleWebKit\/528.5 (K",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /backend/api/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/api/.env UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWeb…
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/backend/api/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/backend/api/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « sqli-21 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/api/.env HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN
Règles WAF
sqli-21
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/api/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleW
Requête brute (extrait)
GET /backend/api/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN Accept-Charset: u
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "424707a6884bba0e5c2e08e31d55ac8958f398c0",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "7cf3bcec31d16ad31dcc82b576038776c12d1f9d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 306,
"payload_entropy": 5.468755228989619,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "d5b6fceace0685332668f557d66ecaf0e4176bd0",
"event_fingerprint": "705cb193fa62c1964bddfd019bfaa6fd7715b324",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce1c3072c30adbf6ea5b4539750aacc2",
"payload_hash": "0af89462635a74a05b15884b961351c1",
"path_pattern_hash": "f336a19e3f1ce7e6163bdad57dfb6c61"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleW",
"method": "GET",
"path": "\/backend\/api\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/api\/.env HTTP\/1.1",
"request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: u",
"payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleW",
"evidence": {
"method": "GET",
"path": "\/backend\/api\/.env",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/api\/.env HTTP\/1.1",
"request_sample": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: u",
"payload_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleW",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2230147198cb2a3d48e9594356a51868a615d505",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/api\/.env",
"request_line": "GET \/backend\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMess\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleW",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/api\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab sqli-21 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/api\/.env",
"request_line": "GET \/backend\/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMess\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/api\/.env",
"evidence_snippet": "GET \/backend\/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleW",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /backend/.env.staging
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /backend/.env.staging UA Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 …
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/backend/.env.staging
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/backend/.env.staging
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /backend/.env.staging HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /backend/.env.staging HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKi
Requête brute (extrait)
GET /backend/.env.staging HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420 (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "staging",
"http_ua_hash": "59340f7bc3c58e9c6ac254e4745e8c29e5cb3ecf",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "60ad021131c60c7ef0d3077bb512c229f5e99a01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 262,
"payload_entropy": 5.348868746767611,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "5b066962408c61fb86e205b0eff3b324bf3488df",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "532cf02f0af960ca4d90706139994d35",
"payload_hash": "b192d1a7251e67ed037011f330d8fc43",
"path_pattern_hash": "71e8425052a8e855284ce6c37676ea95"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKi",
"method": "GET",
"path": "\/backend\/.env.staging",
"user_agent": "Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit\/420 (KHTML, like Gecko) Version\/3.0 Mobile\/1A543a Safari\/419.3",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.staging HTTP\/1.1",
"request_sample": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit\/420 (KHTML, like Gecko) Version\/3.0 Mobile\/1A543a Safari\/419.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/backend\/.env.staging",
"user_agent": "Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit\/420 (KHTML, like Gecko) Version\/3.0 Mobile\/1A543a Safari\/419.3",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/backend\/.env.staging HTTP\/1.1",
"request_sample": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit\/420 (KHTML, like Gecko) Version\/3.0 Mobile\/1A543a Safari\/419.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKi",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1c081403ccc89279dead1eeda243efbd29c6aa69",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.staging",
"request_line": "GET \/backend\/.env.staging HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit\/420 (KHTML, like Gecko) Version\/3.0 Mobile\/1A543a Safari\/41\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.staging",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backend\/.env.staging",
"request_line": "GET \/backend\/.env.staging HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit\/420 (KHTML, like Gecko) Version\/3.0 Mobile\/1A543a Safari\/41\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.staging",
"evidence_snippet": "GET \/backend\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKi",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:06 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /frontend/.env.local
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /frontend/.env.local UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605…
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/frontend/.env.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/frontend/.env.local
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /frontend/.env.local HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /frontend/.env.local HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKi
Requête brute (extrait)
GET /frontend/.env.local HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "local",
"http_ua_hash": "9495fbe67f0916c00b6f221fed06425d4bc0bd16",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "7437aaaafc9e223d971228fe59fdee61b9d620d5",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 258,
"payload_entropy": 5.325320162354436,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "0a29d72c394fcba0c14da0678f1848da05a5a5c6",
"event_fingerprint": "91fb4a78263137745bc4b0b675294218c616b36a",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "694ce73daec0dcb1dfc54a92c1d561ff",
"payload_hash": "5aea4a02c65afa08e2a670a45e020541",
"path_pattern_hash": "d7ae154bfa816b480978a2899fe639ce"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKi",
"method": "GET",
"path": "\/frontend\/.env.local",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.1 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/frontend\/.env.local HTTP\/1.1",
"request_sample": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/frontend\/.env.local",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.1 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/frontend\/.env.local HTTP\/1.1",
"request_sample": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n",
"payload_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKi",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4209bb57f6b3761c06dfa704b7f1279ae1e62f14",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.env.local",
"request_line": "GET \/frontend\/.env.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.1 Safari\/605.1.15",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.local",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/frontend\/.env.local",
"request_line": "GET \/frontend\/.env.local HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.1 Safari\/605.1.15",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/frontend\/.env.local",
"evidence_snippet": "GET \/frontend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKi",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /.env.docker
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env.docker UA Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; P…
Émulateur
HTTP
WAF
29
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/.env.docker
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/.env.docker
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 67
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env.docker HTTP/1.1
User-Agent
Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344
Règles WAF
lfi-14
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env.docker HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Prof
Requête brute (extrait)
GET /.env.docker HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Accept-Charset: utf-8 Accept-
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "docker",
"http_ua_hash": "afd025b06b40b784279794656acbfbcaecfe5b00",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "fffaa1342f06e8670d7edda0bc9461e93e4a0f1f",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 293,
"payload_entropy": 5.47912201023407,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "9575e614434b7a3419fb5125012c7f999d9cdfd9",
"event_fingerprint": "209deb6fac2f035eca4f05ac7dedc47d10b09e5f",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "48b77ab855ab2862ab797d6da303d70b",
"payload_hash": "c62fa6c3703a9a024e67138b7136c56b",
"path_pattern_hash": "4424df1cf14166f6194446e711e46b03"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 67
},
"payload_preview": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof",
"method": "GET",
"path": "\/.env.docker",
"user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.docker HTTP\/1.1",
"request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\r\nAccept-Charset: utf-8\r\nAccept-",
"payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof",
"evidence": {
"method": "GET",
"path": "\/.env.docker",
"user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env.docker HTTP\/1.1",
"request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\r\nAccept-Charset: utf-8\r\nAccept-",
"payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f7c89873c569a941cb077e6860410ba8902b059b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.docker",
"request_line": "GET \/.env.docker HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebK\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.docker",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 67,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 67,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env.docker",
"request_line": "GET \/.env.docker HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebK\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.docker",
"evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8260 · (tentative d'exploit) · → /env.bak
Élevée
Moyen · 59
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET /env.bak UA Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.…
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950521:leak-8
http_backup_file_scan
Cible HTTP
GET
/env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/env.bak
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · Sonde fichier sensible / config · confiance 62%
Confiance classification
70%
Corrélation +8
Risque capteur
Moyen
· 59
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /env.bak HTTP/1.1
User-Agent
Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 530) like Gecko
Règles WAF
rce-0
nosqli-3
leak-8
Payload (extrait)
GET /env.bak HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMo
Requête brute (extrait)
GET /env.bak HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 530) like Gecko Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "bak",
"http_ua_hash": "253c736ddac82508286dee2924e7dcd234fd2086",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "a267c1a6bb1f8e78acd54116556c5ca3263f5088",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 236,
"payload_entropy": 5.358909057486671,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 92,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 92,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 59,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "065e0d9118f24fe3da986124349d8a52007ae06d",
"event_fingerprint": "43cdd60a33b8fd12766944be621a5b8894f3926f",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%",
"confidence": 0.7,
"classification_confidence": 0.7,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 92,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 59,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "2c9fedcc266aef2717fb1b3d1ba14f86",
"payload_hash": "052fb14d210b77eb41ced8c9e4f91836",
"path_pattern_hash": "8c7af96cfa7ab0d2b434d66566500145"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMo",
"method": "GET",
"path": "\/env.bak",
"user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-8"
],
"request_line": "GET \/env.bak HTTP\/1.1",
"request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMo",
"evidence": {
"method": "GET",
"path": "\/env.bak",
"user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950521:leak-8"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-8"
],
"request_line": "GET \/env.bak HTTP\/1.1",
"request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMo",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "18e3e43b7b0a8acccb93a64e227befabafd82f54",
"protocol_details": {
"http_method": "GET",
"http_path": "\/env.bak",
"request_line": "GET \/env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMo",
"attack_vector": "exploit attempt \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/env.bak",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 70,
"confidence_breakdown": {
"waf": 92,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 59,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/env.bak",
"request_line": "GET \/env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMobile\/11.0; NOKIA; Lumia 530) like Gecko",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/env.bak",
"evidence_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows Phone 8.1; ARM; Trident\/7.0; Touch; rv:11.0; IEMo",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950521:leak-8",
"http_backup_file_scan",
"http_backup_path",
"http_probe_env"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 96
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /api/.env.dev
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env.dev UA Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gec…
Émulateur
HTTP
WAF
24
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Cible HTTP
GET
/api/.env.dev
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/api/.env.dev
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.env.dev HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6
Règles WAF
nosqli-3
leak-1
k8s-api
Payload (extrait)
GET /api/.env.dev HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko
Requête brute (extrait)
GET /api/.env.dev HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "dev",
"http_ua_hash": "bd5a8030af6ba252c553877c215a975bb099d9f7",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "df0da649347f6e8b30ebfd6075798e279a79356e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 230,
"payload_entropy": 5.341509777118854,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "6d7b9167bfe0866800a7a267642e37dc7e519772",
"event_fingerprint": "21cdf2650a73727307fd59a83c1728f839b0c343",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d48dd1a58d66c5711aeaa6ba5a6310e0",
"payload_hash": "ecd3c81ee2951128939aa363d5e305fa",
"path_pattern_hash": "a65c42973e65ed0c7793c8c71a0195da"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko",
"method": "GET",
"path": "\/api\/.env.dev",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko) Chrome\/20.0.1090.0 Safari\/536.6",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.dev HTTP\/1.1",
"request_sample": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko) Chrome\/20.0.1090.0 Safari\/536.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko",
"evidence": {
"method": "GET",
"path": "\/api\/.env.dev",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko) Chrome\/20.0.1090.0 Safari\/536.6",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.dev HTTP\/1.1",
"request_sample": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko) Chrome\/20.0.1090.0 Safari\/536.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e287e89be3496e077f5d3e83875da076a99e678c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.dev",
"request_line": "GET \/api\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko) Chrome\/20.0.1090.0 Safari\/536.6",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.dev",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.dev",
"request_line": "GET \/api\/.env.dev HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko) Chrome\/20.0.1090.0 Safari\/536.6",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.dev",
"evidence_snippet": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.6 (KHTML, like Gecko",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_backup_file_scan",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8260 · (tentative d'exploit) · → /env.backup
Élevée
Moyen · 47
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET /env.backup UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like…
Émulateur
HTTP
WAF
13
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
Cible HTTP
GET
/env.backup
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/env.backup
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
70%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 62 % — 2 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /env.backup HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24
Règles WAF
rce-0
nosqli-3
Payload (extrait)
GET /env.backup HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gec
Requête brute (extrait)
GET /env.backup HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.703.0 Chrome/12.0.703.0 Safari/534.24 Accept-Charset: utf-8 Accept-Encoding: gzip Connection:
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "backup",
"http_ua_hash": "c47b0bb56a4f7346f2c7cae2031c872de1990cbd",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "de881192e40b910ddadfeaa7d74737f8ac4fcb8e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 265,
"payload_entropy": 5.441605432623211,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 60,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 60,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 47,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "12c141923b3d9340b7784730182a9776ab2c0c71",
"event_fingerprint": "c7d46ba4f36604a97c0de74c3eb5508cb437ae0f",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.7,
"classification_confidence": 0.7,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 60,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b0b2e522f7b991a523fa4ef9f0d23ae5",
"payload_hash": "ed22e614730dd452a0cdaf64552b5a66",
"path_pattern_hash": "0913256c1ce2cf4361c479b44d591aa5"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gec",
"method": "GET",
"path": "\/env.backup",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/12.0.703.0 Chrome\/12.0.703.0 Safari\/534.24",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"nosqli-3"
],
"request_line": "GET \/env.backup HTTP\/1.1",
"request_sample": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/12.0.703.0 Chrome\/12.0.703.0 Safari\/534.24\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ",
"payload_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/env.backup",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/12.0.703.0 Chrome\/12.0.703.0 Safari\/534.24",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"nosqli-3"
],
"request_line": "GET \/env.backup HTTP\/1.1",
"request_sample": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/12.0.703.0 Chrome\/12.0.703.0 Safari\/534.24\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ",
"payload_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gec",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6940fa536c96e833ee91dcbd6162cfe48daf0367",
"protocol_details": {
"http_method": "GET",
"http_path": "\/env.backup",
"request_line": "GET \/env.backup HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/12.0.703.0 Chrome\/12.0.703\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gec",
"attack_vector": "exploit attempt \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/env.backup",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 70,
"confidence_breakdown": {
"waf": 60,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/env.backup",
"request_line": "GET \/env.backup HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gecko) Ubuntu\/10.10 Chromium\/12.0.703.0 Chrome\/12.0.703\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/env.backup",
"evidence_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.24 (KHTML, like Gec",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /.env~
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /.env~ UA Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 …
Émulateur
HTTP
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_backup_file_scan
Cible HTTP
GET
/.env~
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/.env~
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 64
Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
pat-0191
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /.env
Ligne de requête
GET /.env~ HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3
Règles WAF
rce-0
nosqli-3
leak-1
Payload (extrait)
GET /.env~ HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, l
Requête brute (extrait)
GET /.env~ HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/418.8 (KHTML, like Gecko) Safari/419.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "env~",
"http_ua_hash": "67253378ccd25986e8954dcb2922af33bf332148",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "1226c0debb1b75494a73e965e6d8cdcb9b1ead38",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 220,
"payload_entropy": 5.385270788995343,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 92,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 64,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ac5be358d10820e5f957986b9b700c4cdb738cc1",
"event_fingerprint": "e3bad5b3d238c80525139fb569adf7f485313c7d",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 270,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0191"
],
"matched_pattern_names": [
"Probe \/.env"
],
"pattern_ids": [
"pat-0191"
],
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a7f3a1b63c014fec2037bbc13937cabf",
"payload_hash": "24634dd18b382b0b789e1fa4d721b7bc",
"path_pattern_hash": "cf5f67b633918a8bfbe3f2b4d6e8e9e1"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 64
},
"payload_preview": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, l",
"method": "GET",
"path": "\/.env~",
"user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, like Gecko) Safari\/419.3",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env~ HTTP\/1.1",
"request_sample": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, like Gecko) Safari\/419.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, l",
"evidence": {
"method": "GET",
"path": "\/.env~",
"user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, like Gecko) Safari\/419.3",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1"
],
"request_line": "GET \/.env~ HTTP\/1.1",
"request_sample": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, like Gecko) Safari\/419.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, l",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f832cdc5b33298cb3f868bf26def6aad83d5d77b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env~",
"request_line": "GET \/.env~ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, like Gecko) Safari\/419.3",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, l",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env~",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 92,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 64,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 64,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"pat-0191",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"pat-0191",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env~",
"request_line": "GET \/.env~ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, like Gecko) Safari\/419.3",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env~",
"evidence_snippet": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit\/418.8 (KHTML, l",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_backup_file_scan",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /api/v2/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/v2/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537…
Émulateur
HTTP
WAF
39
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/api/v2/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/api/v2/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Probe /api/v2/
Ligne de requête
GET /api/v2/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3792.0 Safari/537.36
Règles WAF
lfi-14
rce-0
nosqli-3
leak-1
k8s-api
Payload (extrait)
GET /api/v2/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36
Requête brute (extrait)
GET /api/v2/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3792.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "ffd550c26c7d57d4a5fd20fcc0245fdf4fd693b0",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "cc4b30112d6bf6eb67e9d97dbf1e56d5dce1ab0e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 250,
"payload_entropy": 5.426040679788425,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 68,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "484724a8e79f938d39d8a178f06b91c9b78d1761",
"event_fingerprint": "ccf5be2d9a24eb47932a99123f18aa3347fd4680",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 185,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream"
],
"matched_patterns": [
"pat-0213"
],
"matched_pattern_names": [
"Probe \/api\/v2\/"
],
"pattern_ids": [
"pat-0213"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a66d5a37f482720ddbb620cb7fbc3f05",
"payload_hash": "8a9d17aa367ac70369889f4ce38afbae",
"path_pattern_hash": "45a8106651a0a44c3f11053706f8aead"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36",
"method": "GET",
"path": "\/api\/v2\/.env",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/v2\/.env HTTP\/1.1",
"request_sample": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36",
"evidence": {
"method": "GET",
"path": "\/api\/v2\/.env",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36",
"waf_tags": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/v2\/.env HTTP\/1.1",
"request_sample": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c53002c264406ef8c679812d621eb94f54e65e78",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/v2\/.env",
"request_line": "GET \/api\/v2\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v2\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/v2\/.env",
"request_line": "GET \/api\/v2\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3792.0 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v2\/.env",
"evidence_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_api_route_probe",
"http_backup_file_scan",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /api/.env.production
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env.production UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537…
Émulateur
HTTP
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/api/.env.production
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.env.production HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
k8s-api
Payload (extrait)
GET /api/.env.production HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi
Requête brute (extrait)
GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "af15669d0a2069ed99f3f812d5d3f2b4e35b8128",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "968e975abb5bec4d137f79208dfd090d8456c104",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 260,
"payload_entropy": 5.417898510366114,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "fb0c2f9883dc2c67e7f24da0f0907c13b06e0124",
"event_fingerprint": "d2fdc3069a186b53656ba814b2e1581b1cea691d",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "dc7a79170cfe2db6a2818f7b7dac1080",
"payload_hash": "54c86c0d8158214fda62799709165453",
"path_pattern_hash": "3695b3884d13830f81357e8fc9151d2d"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"method": "GET",
"path": "\/api\/.env.production",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.production HTTP\/1.1",
"request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/api\/.env.production",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.production HTTP\/1.1",
"request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close",
"payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ec24f04fb1d426428a29422392f807d07315077f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.production",
"request_line": "GET \/api\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.production",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.production",
"request_line": "GET \/api\/.env.production HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.\u2026",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.production",
"evidence_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKi",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_backup_file_scan",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /api/.env.bak
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env.bak UA Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/r…
Émulateur
HTTP
WAF
53
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
Cible HTTP
GET
/api/.env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/api/.env.bak
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 8 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /api/.env.bak HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
leak-1
leak-8
k8s-api
Payload (extrait)
GET /api/.env.bak HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/ro
Requête brute (extrait)
GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (compatible; Exabot/3.0; http://www.exabot.com/go/robot) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "bak",
"http_ua_hash": "155396580b69830baa3af59a01886bdf4a2267e1",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 201,
"payload_entropy": 5.191233568460964,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 68,
"tag_count": 12,
"anomaly_count": 0,
"campaign_key": "d56e27d443a525630fe8a718aa5fb1215de8a422",
"event_fingerprint": "eda8c8d3eb9f51e61e47b9097e6aaaabf72e27ec",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "60b27a7c48a7fb00e56038de2caf45f7",
"payload_hash": "d78e81bd638d2e9ad5c866eefa95314d",
"path_pattern_hash": "704472054da186f49a4245e261c91fda"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/ro",
"method": "GET",
"path": "\/api\/.env.bak",
"user_agent": "Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/robot)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-1",
"leak-8",
"k8s-api"
],
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/robot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/ro",
"evidence": {
"method": "GET",
"path": "\/api\/.env.bak",
"user_agent": "Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/robot)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-1",
"leak-8",
"k8s-api"
],
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/robot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/ro",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "949be2a2929b567008f480b09abbde16bff73d21",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.bak",
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/robot)",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/ro",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.bak",
"request_line": "GET \/api\/.env.bak HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/robot)",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak",
"evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (compatible; Exabot\/3.0; http:\/\/www.exabot.com\/go\/ro",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api",
"http_backup_file_scan",
"http_backup_path",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /api/.env.prod
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env.prod UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537…
Émulateur
HTTP
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.prod
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/api/.env.prod
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.env.prod HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Règles WAF
rce-0
nosqli-3
leak-1
k8s-api
Payload (extrait)
GET /api/.env.prod HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.
Requête brute (extrait)
GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "prod",
"http_ua_hash": "287db97f510387563e8e3fad3bfb5f25bbc560cc",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 253,
"payload_entropy": 5.42512898669195,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 68,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "fb0c2f9883dc2c67e7f24da0f0907c13b06e0124",
"event_fingerprint": "ae35a28ac4d70160d558e51ea04ed4957d7ff1df",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "2dfa44c963be3cd5e8d318a0b5416fa5",
"payload_hash": "779e42cf87c4c339614719b8e266fc3c",
"path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.",
"method": "GET",
"path": "\/api\/.env.prod",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.",
"evidence": {
"method": "GET",
"path": "\/api\/.env.prod",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16e0fd96b202236c15f9543c809e151bd1850da4",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.prod",
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env.prod",
"request_line": "GET \/api\/.env.prod HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod",
"evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/537.",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_backup_file_scan",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Sonde fichier configuration
config file probe · via HTTP:8260 · (tentative d'exploit) · → /api/.env
Élevée
Élevé · 68
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1083
TA0001
TA0002
Protocole
GET /api/.env UA Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gec…
Émulateur
HTTP
WAF
24
Recommandation
Investiguer
Tags
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Cible HTTP
GET
/api/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/api/.env
Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Élevé
· 68
Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF
Signaux
SIGMA-web-config-leak
Http Sensitive
Upstream
Waf Score
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /api/.env HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) WebVideo/1.0.1.10 Version/7.0 Safari/537.71
Règles WAF
nosqli-3
leak-1
k8s-api
Payload (extrait)
GET /api/.env HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) We
Requête brute (extrait)
GET /api/.env HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) WebVideo/1.0.1.10 Version/7.0 Safari/537.71 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "01615c4c5a5d29fbcf0989270eeae2a0453083c9",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "f5b7d21cf92d5caca6cd906725e72730e31bc18c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 238,
"payload_entropy": 5.310099250084425,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 100,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 68,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "6d7b9167bfe0866800a7a267642e37dc7e519772",
"event_fingerprint": "31ef9207b5ea73010916d59f36b43e36df455902",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 215,
"precision_signals": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "aaf6988fdc26e3d2c72561eac6731bb1",
"payload_hash": "820685ace24b847b8d98c2ccbe20afbd",
"path_pattern_hash": "3c658e3b68f996f41891a76e1d05a9a5"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 68
},
"payload_preview": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) We",
"method": "GET",
"path": "\/api\/.env",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env HTTP\/1.1",
"request_sample": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) We",
"evidence": {
"method": "GET",
"path": "\/api\/.env",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71",
"waf_tags": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"leak-1",
"k8s-api"
],
"request_line": "GET \/api\/.env HTTP\/1.1",
"request_sample": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) We",
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e7fab964431a2579141ab03b49af2661b4a10b62",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env",
"request_line": "GET \/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) We",
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 68,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 68,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"SIGMA-web-config-leak",
"INT-http_sensitive",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"SIGMA-web-config-leak",
"Http Sensitive",
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/.env",
"request_line": "GET \/api\/.env HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:8260 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env",
"evidence_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) We",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_backup_file_scan",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
14/06/2026 16:02:05 UTC
TCP
8260 · HTTP
Scan de ports
port scan syn · via HTTP:8260 · (reconnaissance) · → /env.txt
Élevée
Moyen · 45
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0043
TA0043
Protocole
GET /env.txt UA Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100…
Émulateur
HTTP
WAF
13
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
Cible HTTP
GET
/env.txt
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/env.txt
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52%
Confiance classification
60%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 52 % — 2 tag(s) WAF
Signaux
Beh Scan Burst
Technique MITRE
TA0043
Tactiques MITRE
TA0043
Ligne de requête
GET /env.txt HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0
Règles WAF
rce-0
nosqli-3
Payload (extrait)
GET /env.txt HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Ice
Requête brute (extrait)
GET /env.txt HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "txt",
"http_ua_hash": "21be67d571c7a396026bff02bc6cb0fcb9a8760b",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "43063baf0fda73950dd575fa216e503f70ad04be",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 237,
"payload_entropy": 5.333998524987779,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8260,
"risk_waf": 60,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 60,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 45,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "12c141923b3d9340b7784730182a9776ab2c0c71",
"event_fingerprint": "61163cfe6b7a79a00aa536e04ec599e87435285e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%",
"confidence": 0.6,
"classification_confidence": 0.6,
"precision_score": 62,
"precision_signals": [
"INT-beh-scan-burst"
],
"kb_rule_ids": [
"INT-beh-scan-burst"
],
"confidence_breakdown": {
"waf": 60,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 52,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b2042cfbdd68996c8cf9cd4480528728",
"payload_hash": "af8e3a8addeb9c860072a1e647746925",
"path_pattern_hash": "4ff48f74005d677acf48e527b71c7273"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 45
},
"payload_preview": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Ice",
"method": "GET",
"path": "\/env.txt",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Iceweasel\/3.6.3 (like Firefox\/3.6.3) GTB7.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"nosqli-3"
],
"request_line": "GET \/env.txt HTTP\/1.1",
"request_sample": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Iceweasel\/3.6.3 (like Firefox\/3.6.3) GTB7.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Ice",
"evidence": {
"method": "GET",
"path": "\/env.txt",
"user_agent": "Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Iceweasel\/3.6.3 (like Firefox\/3.6.3) GTB7.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"nosqli-3"
],
"request_line": "GET \/env.txt HTTP\/1.1",
"request_sample": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Iceweasel\/3.6.3 (like Firefox\/3.6.3) GTB7.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Ice",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre": "TA0043",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d52ab2b6be38964da0c6694597a5137e861f35ff",
"protocol_details": {
"http_method": "GET",
"http_path": "\/env.txt",
"request_line": "GET \/env.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Iceweasel\/3.6.3 (like Firefox\/3.6.3) GTB7.0",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Ice",
"attack_vector": "port scan syn \u00b7 via HTTP:8260 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.txt",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 52 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 60,
"confidence_breakdown": {
"waf": 60,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"INT-beh-scan-burst"
],
"tags_summary_labels_fr": [
"Beh Scan Burst"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0043",
"mitre_technique": "TA0043",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/env.txt",
"request_line": "GET \/env.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Iceweasel\/3.6.3 (like Firefox\/3.6.3) GTB7.0",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8260 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.txt",
"evidence_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko\/20100402 Ice",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 52 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3"
],
"asn_dc_heuristic": true
}