Renseignement sur les menaces

Taïwan

34.80.127.27

FAI Google LLC Première vue 14/06/2026 16:43 UTC Dernière vue 14/06/2026 16:43 UTC Risque Élevé

Période analysée : 2026-06-11 → 2026-06-18

Activité suspecte — risque 51/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 70/100 Élevé

Première observation 14/06/2026 16:43 UTC

Dernière observation 14/06/2026 16:43 UTC

Événements (période) 332

MITRE ATT&CK principal TA0007 167 occurrences

Activité suspecte — risque 51/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Tags WAF: nosqli-3 · confiance 100%

Confiance 100 % — Score WAF 32 · Bonus corrélation +8 · 1 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.80.112.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 332 événements sur la période pour cette IP.

147.185.132.55 Sonde MongoDB 18/06/2026 20:42 UTC
147.185.132.20 Scan vulnérabilités 18/06/2026 20:41 UTC
198.235.24.168 oracle tns probe 18/06/2026 20:41 UTC
205.210.31.213 Sonde PostgreSQL 18/06/2026 20:40 UTC
35.203.211.235 Sonde port 18/06/2026 20:39 UTC
205.210.31.221 Sonde PostgreSQL 18/06/2026 20:37 UTC
205.210.31.194 Sonde port 18/06/2026 20:37 UTC
205.210.31.96 Sonde PostgreSQL 18/06/2026 20:36 UTC

Événements (filtres)

332

Première observation

14/06/2026 16:43 UTC

Dernière observation

14/06/2026 16:43 UTC

Dernière activité (filtres)

14/06/2026 16:43 UTC

Événements 7j

332

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 166 TLS TCP 166

HTTP

166

TLS

166

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 20080 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:20080 · (tentative d'exploit) · → /mail/sendgrid.env

Détails protocole

Méthode: GET
Chemin: /mail/sendgrid.env
User-Agent: CSSCheck/1.2.2

Aperçu payload

GET /mail/sendgrid.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: CSSCheck/1.2.2 Accept-Charset: utf-8 Accept-Encoding: gzi

Port / service

20080 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 1 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

332 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

332 événement(s) — page 3/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.docker	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.docker UA Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.docker TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.docker Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.docker HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537.3 Requête brute (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "docker", "http_ua_hash": "036a7e6c03f2a643144624e5e69614553b17760e", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "fffaa1342f06e8670d7edda0bc9461e93e4a0f1f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.386231787094158, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "851ab6e4e20e5eaf525a0893964790f236a50ac3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6de30378f51ed28a07416bafb29cc7f4", "payload_hash": "ddf613fe1474113576a9bdebe94002de", "path_pattern_hash": "4424df1cf14166f6194446e711e46b03" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.3", "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99ae5a14b783eb4fe1e3e8b80ccc396300c5a3d6", "protocol_details": { "http_method": "GET", "http_path": "\/.env.docker", "request_line": "GET \/.env.docker HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safar\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.docker", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.docker", "request_line": "GET \/.env.docker HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safar\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.docker", "evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Lenovo K33a42) AppleWebKit\/537.3", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.demo	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.demo UA Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Fi… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.demo TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.demo Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.demo HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefo Requête brute (extrait) GET /.env.demo HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "demo", "http_ua_hash": "4b27a0268bf93c1e4b2b976844a1f4a3fdd20a09", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "281117a46ffb6dbe77926884a25652c0da93651c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 203, "payload_entropy": 5.303071132741778, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "6aaf147abfc6ce3feaa7711c3b5f2d8cb165cede", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4d71a08bb91ca206c6eecf652da5072e", "payload_hash": "1202160f7685890dead47fd5c57944de", "path_pattern_hash": "ff56ce56a447b9537c511ab389b44d21" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefo", "method": "GET", "path": "\/.env.demo", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.demo HTTP\/1.1", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefo", "evidence": { "method": "GET", "path": "\/.env.demo", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.demo HTTP\/1.1", "request_sample": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefo", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3bf57dd486be4cdacf701636bed13c88b4ac8006", "protocol_details": { "http_method": "GET", "http_path": "\/.env.demo", "request_line": "GET \/.env.demo HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefo", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.demo", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.demo", "request_line": "GET \/.env.demo HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefox\/47.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.demo", "evidence_snippet": "GET \/.env.demo HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko\/20100101 Firefo", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.old	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.old UA Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.old HTTP/1.1` User-Agent Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12 Requête brute (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "01d5fbf93a54fabb8ab22591bb3459434f9dab9f", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "5c6d2af3e13d17105c8f5fb6187fb5c332303b42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 215, "payload_entropy": 5.270297369028208, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "dcee5dbf0b4aa5e9aa7f6a569650f8c6f7703a6c", "event_fingerprint": "1324687ee855d94cc29debf85c28664e9294b38c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "92fb9085c955383e740262552eee1da9", "payload_hash": "3847d40727d6a4a15e728099276518f8", "path_pattern_hash": "3807eb1255fb0315f3ffbb94c31e25e0" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12", "method": "GET", "path": "\/.env.old", "user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12", "evidence": { "method": "GET", "path": "\/.env.old", "user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "73ae8d1488b16024659f0c3554a5b2d7d11891f2", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.old", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.old", "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.copy	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.copy UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.copy TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.copy Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.copy HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3879.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /.env.copy HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3879.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "copy", "http_ua_hash": "5cce4f80f3d827d2f70f7c83c9b78b284b9ad660", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "7c2ae66345773d74e41beccb46e084de01a9b535", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 238, "payload_entropy": 5.4256707158226085, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "e8dc9b0be031fd2add991a515b9ad32ededa7010", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d4afa313b1ea1a5a97888703fa2992a", "payload_hash": "58da003b71a6dc13bab8b5a3aba7289c", "path_pattern_hash": "1582af18ca1ce6e54d4467e471b637e8" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/.env.copy", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.copy HTTP\/1.1", "request_sample": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/.env.copy", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.copy HTTP\/1.1", "request_sample": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a59b1dfeff952a82571965b6ef3c9c3fe07bf319", "protocol_details": { "http_method": "GET", "http_path": "\/.env.copy", "request_line": "GET \/.env.copy HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.copy", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.copy", "request_line": "GET \/.env.copy HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3879.0 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.copy", "evidence_snippet": "GET \/.env.copy HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.example	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.example UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.example TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.example Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.example HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.example HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537. Requête brute (extrait) GET /.env.example HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "example", "http_ua_hash": "0001989e49924f8bae176d77792fbc0ba5d1ed5e", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "080963ef62d711207d0e68706f04d0705ec4d7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.395655573654211, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "368921782cf7774d1a5908a623a2238051c1b12c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6f4a065b015211242b1682e970c56277", "payload_hash": "ecc309a22987eab74a64988974fcedf5", "path_pattern_hash": "f8bf22cb3ab23601599be7f21fa00aee" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.", "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/.env.example", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.example HTTP\/1.1", "request_sample": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f04f96cccd5d4e9d225252849180893c09f98db", "protocol_details": { "http_method": "GET", "http_path": "\/.env.example", "request_line": "GET \/.env.example HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.example", "request_line": "GET \/.env.example HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.example", "evidence_snippet": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.prod.bak	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.prod.bak UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.prod.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.prod.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.prod.bak HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.88 Safari/537.36 Vivaldi/2.4.1488.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.prod.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537 Requête brute (extrait) GET /.env.prod.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.88 Safari/537.36 Vivaldi/2.4.1488.36 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "a1e29f23a3c4f6e942f7b15b151869432ad7db81", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "e79ede117a02a11b4e7051104a60cdf42ee84dde", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.4211204668886195, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e533d9a2b1f0ad97f25acf0cc072957ed3a294df", "event_fingerprint": "394ed4c68785671c4731155b189d928cc6450724", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "670f51594b56de972484f1d2a6322397", "payload_hash": "ecca80d1a3b61aa969b076626f8bec1b", "path_pattern_hash": "b6f3643e7f32a1b4084c7ae038946cd0" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537", "method": "GET", "path": "\/.env.prod.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.88 Safari\/537.36 Vivaldi\/2.4.1488.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.prod.bak HTTP\/1.1", "request_sample": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.88 Safari\/537.36 Vivaldi\/2.4.1488.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.env.prod.bak", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.88 Safari\/537.36 Vivaldi\/2.4.1488.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.prod.bak HTTP\/1.1", "request_sample": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.88 Safari\/537.36 Vivaldi\/2.4.1488.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d3d17fa86ae7e06b8db31d69d6e551b8d3e2ffa", "protocol_details": { "http_method": "GET", "http_path": "\/.env.prod.bak", "request_line": "GET \/.env.prod.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.88 Safari\/537.3\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.prod.bak", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.prod.bak", "request_line": "GET \/.env.prod.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.88 Safari\/537.3\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.prod.bak", "evidence_snippet": "GET \/.env.prod.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.dev	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.dev UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.dev Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dev HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 ( Requête brute (extrait) GET /.env.dev HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "dev", "http_ua_hash": "cbb9db1397a33f72cf3f1187f904981b18d81e8c", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "a499321530f3e4ddd283e6792cf6d67b1e7cfe88", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.430355822744352, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "9061a2799e1ca1421cc9b11cdcb595c5820c9c69", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c816f7e85e19cb6888eb2725fc09077c", "payload_hash": "22d0879250e74eac1eb8407006387c45", "path_pattern_hash": "ceb221ca10f5b573c09ea91320781e08" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev HTTP\/1.1", "request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.env.dev", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev HTTP\/1.1", "request_sample": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05655e7025ddd7464692c702928d0f7eadfbac17", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dev", "request_line": "GET \/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dev", "request_line": "GET \/.env.dev HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.131 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev", "evidence_snippet": "GET \/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.development.local	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.development.local UA Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gec… Émulateur HTTP WAF 14 Recommandation Investiguer Tags 950470:nosqli-3 950514:leak-1 http_backup_file_scan http_sensitive_path Cible HTTP GET /.env.development.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.development.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.development.local HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /.env.development.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, Requête brute (extrait) GET /.env.development.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "e576e94dad83cd52177cb9ef926a3d4095dd883d", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "44b27fcf42134edd5dc872c2c6f931dc026ceb76", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.324496269855504, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 64, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "10e64107dc5ce2f42e85f062df2d047f9a6b41b3", "event_fingerprint": "1d58e3c17e2c4c3e54e646b7263ac7b27a93929a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "28b5a0abf8f5a3dc2974b5b5cc32be49", "payload_hash": "c0b4b368449a7422844e9036ffbbe59b", "path_pattern_hash": "66b5346fea2c0f881a6004f5150ea85e" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML,", "method": "GET", "path": "\/.env.development.local", "user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "waf_tags": [ "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development.local HTTP\/1.1", "request_sample": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML,", "evidence": { "method": "GET", "path": "\/.env.development.local", "user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "waf_tags": [ "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development.local HTTP\/1.1", "request_sample": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML,", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "53556c27be6abe077147d9f440f328570906dde7", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development.local", "request_line": "GET \/.env.development.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML,", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.development.local", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 64, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development.local", "request_line": "GET \/.env.development.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML, like Gecko) Chrome\/19.0.1061.1 Safari\/536.3", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.development.local", "evidence_snippet": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2) AppleWebKit\/536.3 (KHTML,", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.default	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.default UA Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.default TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.default Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.default HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.default HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 Requête brute (extrait) GET /.env.default HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "default", "http_ua_hash": "debb15a7d68aa336bc36ec7e628a2911a37d6393", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "437476297bcc04ccaf487ff217e9f02a35247fa6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.391261102901508, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "5d7e1837caddc4c3afa835ec3be0e90c76d7c4d8", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d60e0586986b6a343b0c6e2f32127712", "payload_hash": "aea92e29026a6025c59297ff48150813", "path_pattern_hash": "ef22944b80bfbabaa71a03775ffca265" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 ", "method": "GET", "path": "\/.env.default", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.default HTTP\/1.1", "request_sample": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.env.default", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.default HTTP\/1.1", "request_sample": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c13b7038ab254bc0cac62c4b29861eca92cb9663", "protocol_details": { "http_method": "GET", "http_path": "\/.env.default", "request_line": "GET \/.env.default HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.default", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.default", "request_line": "GET \/.env.default HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.default", "evidence_snippet": "GET \/.env.default HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; Moto G (4)) AppleWebKit\/537.36", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.staging	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.staging UA Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.staging Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.staging HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.env.staging HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "staging", "http_ua_hash": "d5ddd104539bfa72865607edcd6b14ea1f2b8a4b", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "b697ca05984d1bd61ac6a6cd96868703f3417431", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.38170545716284, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "c3d968a13c3ec62073f0ca4fdf87d3c441d1aff9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7bd1161a9f3e5e848bd927daba3e4232", "payload_hash": "15679c65ec14e7b8fdacbbe3d3b4f1af", "path_pattern_hash": "273c68db2803cfd6e1d27200e5969039" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.env.staging", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.staging HTTP\/1.1", "request_sample": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.env.staging", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.staging HTTP\/1.1", "request_sample": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d0b15c831d6d3273254ce9526c7569291c55fce0", "protocol_details": { "http_method": "GET", "http_path": "\/.env.staging", "request_line": "GET \/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.staging", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.staging", "request_line": "GET \/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.staging", "evidence_snippet": "GET \/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHT", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.qa	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.qa UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.qa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.qa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.qa HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.qa HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 ( Requête brute (extrait) GET /.env.qa HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "qa", "http_ua_hash": "cbad830bdd4b822ffdddb6c2dac7856143406481", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "f6ca81fc6b63d491b34b08edc02f7c1a76039985", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.362273774958129, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "b38cd8ca608cf06905b370bcc2de56a06f312244", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6563296a7f163a1c1c3d95555ed88fa7", "payload_hash": "b38f5f51c4c8d3a592eb53bf3e7de94b", "path_pattern_hash": "4ceac2fb8b154c5a9855e0056c339f6c" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (", "method": "GET", "path": "\/.env.qa", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.qa HTTP\/1.1", "request_sample": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (", "evidence": { "method": "GET", "path": "\/.env.qa", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.qa HTTP\/1.1", "request_sample": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fed31ef22ccd9d173f74d3e76fb8ca7c17fb538", "protocol_details": { "http_method": "GET", "http_path": "\/.env.qa", "request_line": "GET \/.env.qa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.qa", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.qa", "request_line": "GET \/.env.qa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (KHTML, like Gecko) Version\/5.1.3 Safari\/534.53.10", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.qa", "evidence_snippet": "GET \/.env.qa HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit\/534.55.3 (", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.template	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.template UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.template TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.template Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.template HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.template HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537 Requête brute (extrait) GET /.env.template HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "template", "http_ua_hash": "3df4c8180ffcf5965502bca3b82e103e876f7c20", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "edccaea3bbb1eaacbff6973ad5f703ae60c1ddc1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.384176193974142, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "c7bc95413adb935e084821389efa9ced45485063", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3be1a84eefbef370a455ffb3722e0bc6", "payload_hash": "47d1e7dc7cd2067acf7779f7451bd078", "path_pattern_hash": "6f72c17e203141284a34bb73c6ef5765" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "method": "GET", "path": "\/.env.template", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.template HTTP\/1.1", "request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.env.template", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.template HTTP\/1.1", "request_sample": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a6cb84fb91727635fcbce25fdece99048c927e00", "protocol_details": { "http_method": "GET", "http_path": "\/.env.template", "request_line": "GET \/.env.template HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.template", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.template", "request_line": "GET \/.env.template HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.template", "evidence_snippet": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.dev.local	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.dev.local UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.3… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.dev.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.dev.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.dev.local HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.dev.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537. Requête brute (extrait) GET /.env.dev.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "3da4867009ba48eea7334705c7277bfeb35664fc", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "12559bd98a78482d9ce7a35ea95030c5164cc18e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.434456747277208, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "fe308b54fc18f35dab265e04e35d526b035229b3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a587945ac46f7c95d48a6fee69d6e78d", "payload_hash": "d1da453277185e7db94f0a30df0ebcce", "path_pattern_hash": "168410cb363e5bff281032a79dc5b72d" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.", "method": "GET", "path": "\/.env.dev.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev.local HTTP\/1.1", "request_sample": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/.env.dev.local", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.dev.local HTTP\/1.1", "request_sample": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a3198bd053ed4e9688509f518de7b472fa93ade", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dev.local", "request_line": "GET \/.env.dev.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev.local", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.dev.local", "request_line": "GET \/.env.dev.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.dev.local", "evidence_snippet": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6000) AppleWebKit\/537.", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.preprod	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.preprod UA Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.preprod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.preprod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.preprod HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.env.preprod HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N950U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "preprod", "http_ua_hash": "2a2fdade35acf39614d43ae3cde1dc91ba5eba75", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "67166fa60459969a35e979b1c3340b3415271d3a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.419444283319683, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "356ff688fdb0449a90274392df829648be661368", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c9b671d741cea56c040d9008731b6d30", "payload_hash": "19f9c949dbad9b7a01f7ae555e502d8d", "path_pattern_hash": "56c2098c6a61c7ac0db82c4db6400ced" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.env.preprod", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.preprod HTTP\/1.1", "request_sample": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.env.preprod", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.preprod HTTP\/1.1", "request_sample": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94c40d88aa864ae9d4b37b1995a24fdb71907af0", "protocol_details": { "http_method": "GET", "http_path": "\/.env.preprod", "request_line": "GET \/.env.preprod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.preprod", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.preprod", "request_line": "GET \/.env.preprod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.preprod", "evidence_snippet": "GET \/.env.preprod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N950U) AppleWebKit\/537.36 (KHT", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.test	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.test UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.test TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.test Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.test HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /.env.test HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "test", "http_ua_hash": "f6b14df20eb2e81066b12e1b70f1ed896fb62a52", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "4e40a92f813d5ab41a0033a3846a1a977ff1de23", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.41685252320583, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3703a5420c94d4c57310283c402e2d76700997cb", "event_fingerprint": "fb487301e4941a2510e6fd29cd6a08d7da0942b5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 270, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "470f0c990fcda5e76243a30e4433da48", "payload_hash": "5225fa33edfd7f8459ffcf0bdd8c0e31", "path_pattern_hash": "d0f775cf96d71b1d76da4d08e462f07a" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/.env.test", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test HTTP\/1.1", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/.env.test", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.test HTTP\/1.1", "request_sample": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93bb2a88c09c65ca36e2ba3219e316d1eddb54c9", "protocol_details": { "http_method": "GET", "http_path": "\/.env.test", "request_line": "GET \/.env.test HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.test", "request_line": "GET \/.env.test HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.test", "evidence_snippet": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:20080 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 20080 Chemin / cible — Service TLS Payload ��Mk��2��NkM��d�W�p$A�� w��(8!��S��Q��}�T_�+� �&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Mk��2��NkM��d�W�p$A�� w��(8!��S��Q��}�T_�+� �&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Mk��2��NkM��d�W�p$A�� w��(8!��S��Q��}�T_�+� �&�+�/�,�0̨̩� �� /5� w �+3&$ �G�;#.��քK�0�k�BT����) Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.898626008365344, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "922e68f753501d82d4ba9f3c6fb79a594e6c4bc0", "event_fingerprint": "70ed98f47270d080d4d0841022f0a2729b7f66f8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "8f07875a21bd0936883e098ba0b66620", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 20080, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdMk\u0001\ufffd\u001a\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$\bA\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\u001e\u0003\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\u001b\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdMk\u0001\ufffd\u001a\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$\bA\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\u001e\u0003\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\u001b\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdG\ufffd\u0019;#.\ufffd\ufffd\ufffd\ufffd\u0584\u0015K\ufffd0\ufffdk\ufffdBT\ufffd\u0017\ufffd\ufffd\ufffd\ufffd)", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdMk\u0001\ufffd\u001a\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$\bA\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\u001e\u0003\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\u001b\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2234b9cf1823501983c97a2ba7b594079edb9b4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdMk\u0001\ufffd\u001a\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$\bA\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\u001e\u0003\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\u001b\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 20080, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdMk\ufffd\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$A\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:20080 \u00b7 (sonde \/ probe)", "target_port_label": "20080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdMk\u0001\ufffd\u001a\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$\bA\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\u001e\u0003\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\u001b\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 20080, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:20080 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdMk\ufffd\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffdNkM\ufffd\ufffdd\ufffdW\ufffdp$A\ufffd\ufffd\ufffd \ufffdw\ufffd\ufffd\ufffd(8!\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffdQ\ufffd\ufffd\ufffd}\ufffdT_\ufffd+\ufffd \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "20080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:20080 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 20080 Chemin / cible — Service TLS Payload ��דH�ޓ��J��MN.8��;�K��y�� B�m��׬� ׊hHa� g� ��>2.&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��דH�ޓ��J��MN.8��;�K��y�� B�m��׬� ׊hHa�g� ��>2.&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��דH�ޓ��J��MN.8��;�K��y�� B�m��׬� ׊hHa� g� ��>2.&�+�/�,�0̨̩� �� /5� w �+3&$ ډ�+_��pJ�9�(j�V/_T9��7�O�8 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7998096829974575, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "922e68f753501d82d4ba9f3c6fb79a594e6c4bc0", "event_fingerprint": "70ed98f47270d080d4d0841022f0a2729b7f66f8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5c1e7c7acfe93bc8aba73c9400cb9e7f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 20080, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\u0013\ufffdK\u0004\ufffd\u0004\ufffdy\ufffd\ufffd\u0007 B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\u0017\ufffd\fg\ufffd\u0003\u0000\r\ufffd\ufffd\ufffd\ufffd>\u00192\u0011.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\u0013\ufffdK\u0004\ufffd\u0004\ufffdy\ufffd\ufffd\u0007 B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\u0017\ufffd\fg\ufffd\u0003\u0000\r\ufffd\ufffd\ufffd\ufffd>\u00192\u0011.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0689\ufffd+_\ufffd\ufffdp\u001eJ\ufffd\u00159\ufffd(j\ufffdV\/_T9\ufffd\ufffd7\ufffdO\ufffd8", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\u0013\ufffdK\u0004\ufffd\u0004\ufffdy\ufffd\ufffd\u0007 B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\u0017\ufffd\fg\ufffd\u0003\u0000\r\ufffd\ufffd\ufffd\ufffd>\u00192\u0011.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd7d260d691a82ac3d545e83bbadf63d85d5c46b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\u0013\ufffdK\u0004\ufffd\u0004\ufffdy\ufffd\ufffd\u0007 B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\u0017\ufffd\fg\ufffd\u0003\u0000\r\ufffd\ufffd\ufffd\ufffd>\u00192\u0011.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 20080, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\ufffdK\ufffd\ufffdy\ufffd\ufffd B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\ufffdg\ufffd\r\ufffd\ufffd\ufffd\ufffd>2.&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:20080 \u00b7 (sonde \/ probe)", "target_port_label": "20080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\u0013\ufffdK\u0004\ufffd\u0004\ufffdy\ufffd\ufffd\u0007 B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\u0017\ufffd\fg\ufffd\u0003\u0000\r\ufffd\ufffd\ufffd\ufffd>\u00192\u0011.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 20080, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:20080 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u05d3H\ufffd\u0793\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMN.8\ufffd\ufffd;\ufffdK\ufffd\ufffdy\ufffd\ufffd B\ufffdm\ufffd\ufffd\ufffd\u05ec\ufffd\n\u05cahHa\ufffdg\ufffd\r\ufffd\ufffd\ufffd\ufffd>2.&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "20080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:20080 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 20080 Chemin / cible — Service TLS Payload ��q�ҹ���HC��oH�-�w��jŜ��Ț� ��_�ӕ^��s/.��R�H{��#�E&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��q�ҹ���HC��oH�-�w��jŜ��Ț� ��_�ӕ^��s/.��R�H{��#�E&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��q�ҹ���HC��oH�-�w��jŜ��Ț� ��_�ӕ^��s/.��R�H{��#�E&�+�/�,�0̨̩� �� /5� w �+3&$ ,�D�m�h��.�d��^��/�K�<�>" Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.814316031883251, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "922e68f753501d82d4ba9f3c6fb79a594e6c4bc0", "event_fingerprint": "70ed98f47270d080d4d0841022f0a2729b7f66f8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "b6f2da80edad29917121905e2d96b44e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 20080, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013q\ufffd\u04b9\ufffd\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \u0000\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\u000f\ufffd\u0019\ufffd\ufffds\/.\u0000\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013q\ufffd\u04b9\ufffd\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \u0000\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\u000f\ufffd\u0019\ufffd\ufffds\/.\u0000\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ,\ufffdD\ufffdm\ufffdh\ufffd\ufffd\ufffd.\ufffdd\ufffd\ufffd\u001b\u001d^\ufffd\ufffd\ufffd\/\ufffdK\ufffd<\ufffd>\b\"\t", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013q\ufffd\u04b9\ufffd\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \u0000\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\u000f\ufffd\u0019\ufffd\ufffds\/.\u0000\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea23a45ef5889eef049d134ec8a8ebf8366973b2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013q\ufffd\u04b9\ufffd\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \u0000\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\u000f\ufffd\u0019\ufffd\ufffds\/.\u0000\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 20080, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdq\ufffd\u04b9\ufffd\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\ufffd\ufffd\ufffds\/.\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via TLS:20080 \u00b7 (sonde \/ probe)", "target_port_label": "20080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0013q\ufffd\u04b9\ufffd\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \u0000\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\u000f\ufffd\u0019\ufffd\ufffds\/.\u0000\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 20080, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:20080 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdq\ufffd\u04b9\ufffd*\ufffd\ufffd\ufffdHC\ufffd\ufffdoH\ufffd-\ufffdw\ufffd\ufffdj\u015c\ufffd\ufffd\u021a\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd_\ufffd\u04d5^\ufffd\ufffd\ufffds\/.\ufffd\ufffdR\ufffdH{\ufffd\ufffd#\ufffdE&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "20080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /v1/.env	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v1/.env UA Mozilla/5.0 (Linux; Android 9; SM-G973W) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /v1/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v1/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G973W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973W) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G973W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d53452ac851a6ea23bab7ed104e646abf9b0a362", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "0f6d25494f66c35cd0bd7eb1054d443c9b0c6f63", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.4279626273204125, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5d13af7ca91c6c6c8d728d22ff9b3f222923a5dd", "event_fingerprint": "c4619205544d1b87ff9001911a4df0d126126917", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6f2bbf3d513697c3fcc5d24bc40bea11", "payload_hash": "0946fb2e67b355c30d6279c597c01dbc", "path_pattern_hash": "a29d1f8ccacc51ac2e54fe6653b8d5f0" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/v1\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v1\/.env HTTP\/1.1", "request_sample": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/v1\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v1\/.env HTTP\/1.1", "request_sample": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9452d6ac65ffcc7cd856822fe3078cce820d3834", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/.env", "request_line": "GET \/v1\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v1\/.env", "request_line": "GET \/v1\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v1\/.env", "evidence_snippet": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G973W) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/v3/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/v3/.env UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/v3/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v3/ Ligne de requête `GET /api/v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.3 Requête brute (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "819be936d3d18db57836a22126102085cf25af00", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "bd51d82ebe68616089e33c9b7e8bd3dca93e4339", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.400002855802376, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 70, "tag_count": 10, "anomaly_count": 0, "campaign_key": "9159b7a081e06ac25c7812044fab4e8a0b12de2d", "event_fingerprint": "6cc26287e825363733798bbae236ec652bb6c442", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0214" ], "matched_pattern_names": [ "Probe \/api\/v3\/" ], "pattern_ids": [ "pat-0214" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1b36faa30a44a408da7057ac04735d65", "payload_hash": "b35ce22b8926e5a6c38472b2a6fc9eda", "path_pattern_hash": "04909e92bace7d0131f14c363849c629" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.3", "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.84 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.84 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/api\/v3\/.env", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.84 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "request_sample": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.84 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "11c83a9bb351580e87b236b48c4a809b86f691a7", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v3\/.env", "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.84 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.3", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v3\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v3\/.env", "request_line": "GET \/api\/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.84 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v3\/.env", "evidence_snippet": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit\/537.3", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env.bak	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.bak UA Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit/537.36 … Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 k8s-api Payload (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit/537.36 ( Requête brute (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "4645af07bac467d65ed99614cdfcf88d84481766", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.4034593492159315, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 70, "tag_count": 10, "anomaly_count": 0, "campaign_key": "fda1ab8c5a68739055fdaf99dde0a2a80b1a8dce", "event_fingerprint": "faf156020d6848f56c9f6bb6bc9e1bc53edd135c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "09233f0028aa8b3fa4ab459556af2332", "payload_hash": "2900f32e238c26dc30f39ed655ccb6f7", "path_pattern_hash": "704472054da186f49a4245e261c91fda" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (", "method": "GET", "path": "\/api\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.bak HTTP\/1.1", "request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/api\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.bak HTTP\/1.1", "request_sample": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c45680939c3cbc043637f8bab7154ff1e919ef4", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.bak", "request_line": "GET \/api\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.bak", "request_line": "GET \/api\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.bak", "evidence_snippet": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Redmi 4) AppleWebKit\/537.36 (", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_file_scan", "http_backup_path", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /uat/.env	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /uat/.env UA Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/200… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /uat/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /uat/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /uat/.env HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20091020 Linux Mint/8 (Helena) Firefox/3.5.3 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20091020 Requête brute (extrait) GET /uat/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20091020 Linux Mint/8 (Helena) Firefox/3.5.3 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "038d67f7cb15cee33be4e05dc9be2e1b9da8accb", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "1eb2933a38e1b26e0106588b5505e9710f93d6fb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 233, "payload_entropy": 5.328940428046947, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2ad2cc499519cd8268ff473e98b8ebc68bb8e77f", "event_fingerprint": "54ac182053125000f127d4f3691536e9928af1de", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d3250f8bf779602760ccd8f5d62701b", "payload_hash": "d95230d2101b373e6ade05c3540461ca", "path_pattern_hash": "1a8fcb54c8457aab1171c5a3ff6b1128" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020", "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020 Linux Mint\/8 (Helena) Firefox\/3.5.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020 Linux Mint\/8 (Helena) Firefox\/3.5.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020", "evidence": { "method": "GET", "path": "\/uat\/.env", "user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020 Linux Mint\/8 (Helena) Firefox\/3.5.3", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/uat\/.env HTTP\/1.1", "request_sample": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020 Linux Mint\/8 (Helena) Firefox\/3.5.3\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6141e16e7b64467f95697e96f74ebd3aca880113", "protocol_details": { "http_method": "GET", "http_path": "\/uat\/.env", "request_line": "GET \/uat\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020 Linux Mint\/8 (Helena) Firefox\/3.5.3", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uat\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/uat\/.env", "request_line": "GET \/uat\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020 Linux Mint\/8 (Helena) Firefox\/3.5.3", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/uat\/.env", "evidence_snippet": "GET \/uat\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko\/20091020", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	probe env probe env · via HTTP:20080 · (sonde / probe) · → /env	Élevée	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /env UA SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950470:nosqli-3 http_probe_env Cible HTTP GET /env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /env Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /env HTTP/1.1` User-Agent SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 Règles WAF nosqli-3 Payload (extrait) GET /env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 Accept-Charset: utf-8 Accept-Encodin Requête brute (extrait) GET /env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: SEC-SGHX210/1.0 UP.Link/6.3.1.13.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "6ec0e2c609cbf0f1f6dedcd6c01512118f104033", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "ebac263a482818b6e7a922df98cc560bbc808a0a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 158, "payload_entropy": 5.117930908492534, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 32, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 32, "classification": 32, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 24, "tag_count": 2, "anomaly_count": 0, "campaign_key": "44850ddb21ab180d02070252542c7cfb49772c80", "event_fingerprint": "a7b992d56c1b4c599d6811c29fc922ab84b06b82", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 32, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "979370e78956152b21fbd5bf7981a555", "payload_hash": "b32b775c39626d9709e8e354999648ad", "path_pattern_hash": "1a3ee8c5f071bd935c8a12206727587a" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 24 }, "payload_preview": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "method": "GET", "path": "\/env", "user_agent": "SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/env HTTP\/1.1", "request_sample": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "evidence": { "method": "GET", "path": "\/env", "user_agent": "SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/env HTTP\/1.1", "request_sample": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "717d2abff4a9420353a9110824dbe9a91cc3c043", "protocol_details": { "http_method": "GET", "http_path": "\/env", "request_line": "GET \/env HTTP\/1.1", "http_user_agent": "SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "attack_vector": "probe env \u00b7 via HTTP:20080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 0 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 0%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 32, "classification": 32, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 24, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/env", "request_line": "GET \/env HTTP\/1.1", "http_user_agent": "SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "probe env \u00b7 via HTTP:20080 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/env", "evidence_snippet": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SEC-SGHX210\/1.0 UP.Link\/6.3.1.13.0\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 0 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "http_probe_env" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/v2/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/v2/.env UA Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/v2/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /api/v2/ Ligne de requête `GET /api/v2/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/v2/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /api/v2/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "d5ddd104539bfa72865607edcd6b14ea1f2b8a4b", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "cc4b30112d6bf6eb67e9d97dbf1e56d5dce1ab0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.39537106580392, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 70, "tag_count": 10, "anomaly_count": 0, "campaign_key": "9159b7a081e06ac25c7812044fab4e8a0b12de2d", "event_fingerprint": "27b5a917ed87b393b96222d7a372c4df782a8ad5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 185, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "matched_patterns": [ "pat-0213" ], "matched_pattern_names": [ "Probe \/api\/v2\/" ], "pattern_ids": [ "pat-0213" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7bd1161a9f3e5e848bd927daba3e4232", "payload_hash": "b5e92bf9af539511c6dbaac2759d9a37", "path_pattern_hash": "45a8106651a0a44c3f11053706f8aead" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/api\/v2\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v2\/.env HTTP\/1.1", "request_sample": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/api\/v2\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/v2\/.env HTTP\/1.1", "request_sample": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "700ccfd9e0319a32cf228d11db35993f2216b409", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v2\/.env", "request_line": "GET \/api\/v2\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v2\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/v2\/.env", "request_line": "GET \/api\/v2\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/v2\/.env", "evidence_snippet": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel 3a) AppleWebKit\/537.36 (KHTM", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_api_route_probe", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /v2/.env	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v2/.env UA Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /v2/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v2/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "a0e58f0536f0d6d039ac38ea1afcfc639f14c579", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "79d69dbab75f7603ce6f8ff1846eda4ce95a3fd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.3912496592972925, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5d13af7ca91c6c6c8d728d22ff9b3f222923a5dd", "event_fingerprint": "18a0bd70ad136240d6fd490373b1a568190ed9ab", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1432cb10f0aa4d0ad703f717b7fe97ee", "payload_hash": "b3e201ec86854249d595422f3d988ca7", "path_pattern_hash": "ea63ee477c90ac313ab228a937b8deee" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/v2\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v2\/.env HTTP\/1.1", "request_sample": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/v2\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v2\/.env HTTP\/1.1", "request_sample": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2d199c72a936337dc118abcaddc17a63ed39ff0f", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/.env", "request_line": "GET \/v2\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v2\/.env", "request_line": "GET \/v2\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/.env", "evidence_snippet": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1.1; A37f) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /v3/.env	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /v3/.env UA Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /v3/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /v3/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.136 Iron Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.136 Iron Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "6e1b3e028fb1e290b54229f145af9ad0fb6d1064", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "8c6c0cf35b21182c44d1fbe7c55901c2e77c5cbc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.430960442226948, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5d13af7ca91c6c6c8d728d22ff9b3f222923a5dd", "event_fingerprint": "35d9d50fbbdadcf4c181dfd3d3ed80dccfcb5400", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fb7448616c9727647bf1442caf59182", "payload_hash": "e1d8d26f769194cef49450f84359e2d5", "path_pattern_hash": "b9266b5e3818db8e42f016e0af085277" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v3\/.env HTTP\/1.1", "request_sample": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/v3\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/v3\/.env HTTP\/1.1", "request_sample": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5ac4450ae60e55cb77ee46e9562ff6f9075d9304", "protocol_details": { "http_method": "GET", "http_path": "\/v3\/.env", "request_line": "GET \/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/v3\/.env", "request_line": "GET \/v3\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v3\/.env", "evidence_snippet": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /app/.env.local	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.local UA Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /app/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox Requête brute (extrait) GET /app/.env.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "9d8b2fa1599c74e63591442cc4d813329231ea73", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "6b35726d908ca1441d48958552cc4f0c6d6cdbcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.279345217895733, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 6, "anomaly_count": 0, "campaign_key": "2ad2cc499519cd8268ff473e98b8ebc68bb8e77f", "event_fingerprint": "df90fc372dddc32f0942b80fc3d42f29a6cf693b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e18edfb1656e9676e904e728003d5bd4", "payload_hash": "23d6226290ede5edfcf1740333e5e4fb", "path_pattern_hash": "d0aea5366423bcf3f26207cfc3fa52c7" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox", "method": "GET", "path": "\/app\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox", "evidence": { "method": "GET", "path": "\/app\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.local HTTP\/1.1", "request_sample": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f61005404f943161b07c53d4216d730f8797fe14", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.local", "request_line": "GET \/app\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.local", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.local", "request_line": "GET \/app\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox\/5.0 Iceweasel\/5.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.local", "evidence_snippet": "GET \/app\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:5.0) Gecko\/20100101 Firefox", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env.old	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.old UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Règles WAF rce-0 nosqli-3 leak-1 leak-8 k8s-api Payload (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603. Requête brute (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "73f886f1ed596334e49283d03c4022d1546ce9ee", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "1eaaed3d5813b8a0c46124d29705f048ce880ab8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.332973006640204, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 70, "tag_count": 10, "anomaly_count": 0, "campaign_key": "fda1ab8c5a68739055fdaf99dde0a2a80b1a8dce", "event_fingerprint": "aba5f066d9a8670427dc7eb147ae06606a74f9c2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a25df57e234ab2a397e1a011a6bee826", "payload_hash": "409397f83a14c897fe024a0969de7ad2", "path_pattern_hash": "f24df3f6a48f5ead7ac9d4853493d4fa" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.", "method": "GET", "path": "\/api\/.env.old", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.old HTTP\/1.1", "request_sample": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.", "evidence": { "method": "GET", "path": "\/api\/.env.old", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8", "k8s-api" ], "request_line": "GET \/api\/.env.old HTTP\/1.1", "request_sample": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bac5fac4737d95a15172d2e416dfa0040404badd", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.old", "request_line": "GET \/api\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.old", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.old", "request_line": "GET \/api\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.old", "evidence_snippet": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/603.", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_file_scan", "http_backup_path", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Scan de ports port scan syn · via HTTP:20080 · (reconnaissance) · → /env.old	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /env.old UA Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_path Cible HTTP GET /env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Moyen · 58 Confiance : Confiance 52 % — 3 tag(s) WAF Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /env.old HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "8219863d68fd2cc32606e571dc0ae78500e1752f", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "f2c0dc89039abb7b503900ef73d0ee05f89133ed", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.380450948570668, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "cb84a40cb9f6e217cff2cceeba844827594ff0e0", "event_fingerprint": "4e94e9435b82e89400f83eff48553edc146da605", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 58, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7f07658f8b35b3c454c617296db76095", "payload_hash": "c911112c0e3a679097e1a7192ea4036c", "path_pattern_hash": "7cac178e79fe10bf41da42670526b73d" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML,", "method": "GET", "path": "\/env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.old HTTP\/1.1", "request_sample": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/env.old", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.old HTTP\/1.1", "request_sample": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd35885e5794fdecbbbec461b528ad374058fba5", "protocol_details": { "http_method": "GET", "http_path": "\/env.old", "request_line": "GET \/env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/53\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.old", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 58, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/env.old", "request_line": "GET \/env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/53\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.old", "evidence_snippet": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-A510F) AppleWebKit\/537.36 (KHTML,", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_path", "http_probe_env" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env.prod	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.prod UA Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge Requête brute (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko/20110123 (like Firefox/3.x) SeaMonkey/2.0.12 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "d65a5790a596e390349e2d5871748c622bac4bfa", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.327570282650878, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "74a82f80a12dec88f18dd4b80d509154baf5c2e1", "event_fingerprint": "8527cf6af0ad37d906beb47e84ec5494969e8009", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "58cada158fbee4758079abd698a832ea", "payload_hash": "c088df824c84fc30d4c17e0571492012", "path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge", "method": "GET", "path": "\/api\/.env.prod", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.prod HTTP\/1.1", "request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge", "evidence": { "method": "GET", "path": "\/api\/.env.prod", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.prod HTTP\/1.1", "request_sample": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ac0a2d8978f59e2cd7c7b808e20f2853e1ae974", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.prod", "request_line": "GET \/api\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.prod", "request_line": "GET \/api\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Gecko\/20110123 (like Firefox\/3.x) SeaMonkey\/2.0.12", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.prod", "evidence_snippet": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.17) Ge", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /dev/.env	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /dev/.env UA Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gec… Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /dev/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /dev/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /dev/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) WebVideo/1.0.1.10 Version/7.0 Safari/537.71 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) W Requête brute (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) WebVideo/1.0.1.10 Version/7.0 Safari/537.71 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "01615c4c5a5d29fbcf0989270eeae2a0453083c9", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "95dbd9173b5580a94a3583c1e8d31bee303be7a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.310089170558355, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 88, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 7, "anomaly_count": 0, "campaign_key": "7ca33b49d42d4a49baddd8d4dc7fc46da8829dbe", "event_fingerprint": "153b986932bd1786dc55ccdc4b6ed3ab24db666f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aaf6988fdc26e3d2c72561eac6731bb1", "payload_hash": "2c088855dea0327a548f499ea3010fdf", "path_pattern_hash": "5776ea19ec2f88a0568ff0bc7de6e909" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) W", "method": "GET", "path": "\/dev\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/dev\/.env HTTP\/1.1", "request_sample": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) W", "evidence": { "method": "GET", "path": "\/dev\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/dev\/.env HTTP\/1.1", "request_sample": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) W", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f24767b5424ac6c86ab34235ac3227fc585a95cd", "protocol_details": { "http_method": "GET", "http_path": "\/dev\/.env", "request_line": "GET \/dev\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) W", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dev\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dev\/.env", "request_line": "GET \/dev\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) WebVideo\/1.0.1.10 Version\/7.0 Safari\/537.71", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dev\/.env", "evidence_snippet": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.71 (KHTML like Gecko) W", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_dev", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env.production	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.production UA Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45… Émulateur HTTP WAF 39 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 6 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45.0 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Fire Requête brute (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:45.0) Gecko/20100101 Firefox/45.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "2bdf8f3e4bf27e51cf6ef11d993a597699a41278", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "968e975abb5bec4d137f79208dfd090d8456c104", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.253274195881198, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 10, "anomaly_count": 0, "campaign_key": "3b1cc0103a09b1106ff41ebf9d8b33090a6bad74", "event_fingerprint": "a5cc2b18e7f04db85865ff8f02972c2e321c8b5f", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "23bebb76be935fbc6f2a84e7c421bd5f", "payload_hash": "919df8b38da8cd4dd14192f022dd4b16", "path_pattern_hash": "3695b3884d13830f81357e8fc9151d2d" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Fire", "method": "GET", "path": "\/api\/.env.production", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.production HTTP\/1.1", "request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/api\/.env.production", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.production HTTP\/1.1", "request_sample": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Fire", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4acabbfb524f4d6225def3bb17a2727c088c1096", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.production", "request_line": "GET \/api\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Fire", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.production", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.production", "request_line": "GET \/api\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Firefox\/45.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.production", "evidence_snippet": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:45.0) Gecko\/20100101 Fire", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 6 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /production/.env	Élevée	Élevé · 65
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /production/.env UA SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 Émulateur HTTP WAF 20 Recommandation Investiguer Tags 950468:nosqli-3 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /production/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /production/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 65 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /production/.env HTTP/1.1` User-Agent SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 Règles WAF nosqli-3 leak-1 Payload (extrait) GET /production/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 Requête brute (extrait) GET /production/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: SonyEricssonT610/R201 Profile/MIDP-1.0 Configuration/CLDC-1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "df4255e7fbd2005f5d916a68c796bbfd17d395f2", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "0e5da18e94a87fd88e6a09d81109dbf41d7bea9b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 197, "payload_entropy": 5.169953563375238, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 88, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 6, "anomaly_count": 0, "campaign_key": "d63b7e9774f86a548ba0fd0641fa40744704b74a", "event_fingerprint": "2f41ad80dff22a696fece79903ef2f28a149aec2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ac26a845045a716f2fb58d736c446339", "payload_hash": "1ecd55385b2b9c4d318e9ad522643b10", "path_pattern_hash": "ea627d9d22b8cf889f18c35c4c7d909f" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "method": "GET", "path": "\/production\/.env", "user_agent": "SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/production\/.env HTTP\/1.1", "request_sample": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "evidence": { "method": "GET", "path": "\/production\/.env", "user_agent": "SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "nosqli-3", "leak-1" ], "request_line": "GET \/production\/.env HTTP\/1.1", "request_sample": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b56c21a474aadaab07cf234a7eaf811955725310", "protocol_details": { "http_method": "GET", "http_path": "\/production\/.env", "request_line": "GET \/production\/.env HTTP\/1.1", "http_user_agent": "SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/production\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 88, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/production\/.env", "request_line": "GET \/production\/.env HTTP\/1.1", "http_user_agent": "SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/production\/.env", "evidence_snippet": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: SonyEricssonT610\/R201 Profile\/MIDP-1.0 Configuration\/CLDC-1.0", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 88 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /test/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /test/.env UA NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configurat… Émulateur HTTP WAF 28 Recommandation Investiguer Tags 950318:lfi-14 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /test/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /test/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /test/.env HTTP/1.1` User-Agent NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configuration/CLDC-1.1 Règles WAF lfi-14 nosqli-3 leak-1 Payload (extrait) GET /test/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configuration/ Requête brute (extrait) GET /test/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: NokiaN73-1/3.0649.0.0.1 Series60/3.0 Profile/MIDP2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "dca4d3bdabad517f73120fdabe50623bbba6237b", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "8197cec9b1d84f19de1c5b10c28917030b9542e4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 205, "payload_entropy": 5.210364066845351, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 8, "anomaly_count": 0, "campaign_key": "8e9f1983e0c8b6650378dd42a5584b60b7290150", "event_fingerprint": "df9bd4601054769bd09b734352006460a27deba9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c87d3d1e213ad2db8b6f072ad7c7329e", "payload_hash": "b054ea87a9df908475e7b2ef023c1bfd", "path_pattern_hash": "a0f6f48aed881c23044b32112fcbe5cd" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/", "method": "GET", "path": "\/test\/.env", "user_agent": "NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/test\/.env HTTP\/1.1", "request_sample": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/", "evidence": { "method": "GET", "path": "\/test\/.env", "user_agent": "NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "leak-1" ], "request_line": "GET \/test\/.env HTTP\/1.1", "request_sample": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb5cbe0b542cffa0f426f59383bf5e8dc58b61ea", "protocol_details": { "http_method": "GET", "http_path": "\/test\/.env", "request_line": "GET \/test\/.env HTTP\/1.1", "http_user_agent": "NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/CLDC-1.1", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/test\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/test\/.env", "request_line": "GET \/test\/.env HTTP\/1.1", "http_user_agent": "NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/CLDC-1.1", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/test\/.env", "evidence_snippet": "GET \/test\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: NokiaN73-1\/3.0649.0.0.1 Series60\/3.0 Profile\/MIDP2.0 Configuration\/", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_test", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Scan de ports port scan syn · via HTTP:20080 · (reconnaissance) · → /env.bak	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /env.bak UA Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTM… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_file_scan Cible HTTP GET /env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Moyen · 59 Confiance : Confiance 52 % — 3 tag(s) WAF Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-8 Payload (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; GM1917) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "a72cb44b77f705dfad42bf99e191154153cac1f4", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "a267c1a6bb1f8e78acd54116556c5ca3263f5088", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.414962106490275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 7, "anomaly_count": 0, "campaign_key": "d9640462bed528f7164db66948c82082d2224f71", "event_fingerprint": "f212fc27ab583d0d17e2247c29b46e892e1ef01e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63ccc5b3b08cee6d0ff7cd59b3427dcd", "payload_hash": "ec6f50b089205df696a008369f58a14c", "path_pattern_hash": "8c7af96cfa7ab0d2b434d66566500145" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.bak HTTP\/1.1", "request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-8" ], "request_line": "GET \/env.bak HTTP\/1.1", "request_sample": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8e5e2928db73984b78e1aa99c1883ada2acd86fb", "protocol_details": { "http_method": "GET", "http_path": "\/env.bak", "request_line": "GET \/env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.bak", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/env.bak", "request_line": "GET \/env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.bak", "evidence_snippet": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; GM1917) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /qa/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /qa/.env UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /qa/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /qa/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « lfi-14 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /qa/.env HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.2000 Règles WAF lfi-14 rce-0 nosqli-3 leak-1 Payload (extrait) GET /qa/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /qa/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Maxthon/5.2.7.2000 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "5d6e432afbd5a88d01d20042ca420470989464c5", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "347f368cf7019820ddbef16e4ba72b557e9ffd91", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.430104283718847, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.5, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 8, "anomaly_count": 0, "campaign_key": "1dc5592a141043b9f067fc2ddd48fc7a5bccfa0e", "event_fingerprint": "2617ed8c2aefa41a50453cb1cf46a16b86243da0", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "47bc4b6bcddc75536dcba861a8db4192", "payload_hash": "d5a23fd1b6af0290e67beb13a720efb8", "path_pattern_hash": "304ba9ff810db7ae18a3843216ad1c4b" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/qa\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.2000", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/qa\/.env HTTP\/1.1", "request_sample": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.2000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/qa\/.env", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.2000", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/qa\/.env HTTP\/1.1", "request_sample": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5.2.7.2000\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a5a9bfbf8e6859e1d96b0fcae4c48046472bef85", "protocol_details": { "http_method": "GET", "http_path": "\/qa\/.env", "request_line": "GET \/qa\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/qa\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab lfi-14 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/qa\/.env", "request_line": "GET \/qa\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.79 Safari\/537.36 Maxthon\/5\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/qa\/.env", "evidence_snippet": "GET \/qa\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Scan de ports port scan syn · via HTTP:20080 · (reconnaissance) · → /env.txt	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /env.txt UA Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Ge… Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950470:nosqli-3 net_flood Cible HTTP GET /env.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /env.txt Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Faible · 37 Confiance : Confiance 52 % — 1 tag(s) WAF Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /env.txt HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 Règles WAF nosqli-3 Payload (extrait) GET /env.txt HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) C Requête brute (extrait) GET /env.txt HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "17c09ec5cebff2507db855e6cac332d395dd43c7", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "43063baf0fda73950dd575fa216e503f70ad04be", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.4009756507023, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 37, "tag_count": 2, "anomaly_count": 0, "campaign_key": "dad02c7e909e2679c636f9387dc04d10af2c6d30", "event_fingerprint": "4f8fbc58d8c7a48e50c44a636825ab9ccd5c91a5", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 37, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "50af0048473dfb526c37e5eb89438a91", "payload_hash": "b634eaa33e465b5689c107a0e08d4bb0", "path_pattern_hash": "4ff48f74005d677acf48e527b71c7273" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 37 }, "payload_preview": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) C", "method": "GET", "path": "\/env.txt", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.112 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/env.txt HTTP\/1.1", "request_sample": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.112 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) C", "evidence": { "method": "GET", "path": "\/env.txt", "user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.112 Safari\/537.36", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/env.txt HTTP\/1.1", "request_sample": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.112 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) C", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84e8588f861b4209ae233265069703b0f4485347", "protocol_details": { "http_method": "GET", "http_path": "\/env.txt", "request_line": "GET \/env.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.112 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) C", "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.txt", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 52%", "classification_reason_label_fr": "Tags WAF: nosqli-3 \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 37, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/env.txt", "request_line": "GET \/env.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.112 Safari\/537.36", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.txt", "evidence_snippet": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 5.1) AppleWebKit\/537.36 (KHTML, like Gecko) C", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /development/.env	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /development/.env UA Opera/9.80 (Android; Opera Mini/43.3.2254/150.36; U; en) Presto… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /development/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /development/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /development/.env HTTP/1.1` User-Agent Opera/9.80 (Android; Opera Mini/43.3.2254/150.36; U; en) Presto/2.12.423 Version/12.16 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Opera/9.80 (Android; Opera Mini/43.3.2254/150.36; U; en) Pre Requête brute (extrait) GET /development/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Opera/9.80 (Android; Opera Mini/43.3.2254/150.36; U; en) Presto/2.12.423 Version/12.16 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "4b6cf9c083ef389e05b5e78ccf056ed2b5c6db66", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "368a782b06d2e3f08e91fcad6aa099df587b3caa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 223, "payload_entropy": 5.191493618676189, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e9aa7eb82c3f99f7156c75b4028f16187b4e8ca4", "event_fingerprint": "047110da9a90d65a4e27e18bf38fca1138436e7a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9edf80910dd9ca25faf4d367d07c3e19", "payload_hash": "b2725a95961f1dad69d4588ed2952bb9", "path_pattern_hash": "5ac5643a22156fcbe040fcd2350884e7" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Pre", "method": "GET", "path": "\/development\/.env", "user_agent": "Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/development\/.env HTTP\/1.1", "request_sample": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Pre", "evidence": { "method": "GET", "path": "\/development\/.env", "user_agent": "Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/development\/.env HTTP\/1.1", "request_sample": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Pre", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7f53bdc2ccd65bb31cb77a62582dc91d2cdd922", "protocol_details": { "http_method": "GET", "http_path": "\/development\/.env", "request_line": "GET \/development\/.env HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Pre", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/development\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/development\/.env", "request_line": "GET \/development\/.env HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Presto\/2.12.423 Version\/12.16", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/development\/.env", "evidence_snippet": "GET \/development\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Opera\/9.80 (Android; Opera Mini\/43.3.2254\/150.36; U; en) Pre", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /prod/.env	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /prod/.env UA Mozilla/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit/537.36 (… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /prod/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /prod/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /prod/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /prod/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /prod/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "1f245d0d1d653feb1b66c0e27330a61199069bba", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "7702579be3ca2d14cb80324c6a749f13cc1e6ce1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.413824736853176, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e9aa7eb82c3f99f7156c75b4028f16187b4e8ca4", "event_fingerprint": "69868d5fe87af24d822ceff6b9e0be0468dce375", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "db21fb16e11ad495c24878c8f181edd3", "payload_hash": "dda3541359e4b47987ac8a3605fc5c9c", "path_pattern_hash": "e986d9a8713d4af4d188b7a61ad378ee" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/prod\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/prod\/.env HTTP\/1.1", "request_sample": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/prod\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/prod\/.env HTTP\/1.1", "request_sample": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a592b3513f99505a932d630385eb21d99c65c556", "protocol_details": { "http_method": "GET", "http_path": "\/prod\/.env", "request_line": "GET \/prod\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTM", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/prod\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/prod\/.env", "request_line": "GET \/prod\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/53\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/prod\/.env", "evidence_snippet": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; SM-N9200) AppleWebKit\/537.36 (KHTM", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env.staging	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.staging UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/603… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env.staging Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.staging HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/ Requête brute (extrait) GET /api/.env.staging HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "1c468107dbf23e687320531c26f9212069ec5124", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "558189df00dd1f382a665a69aadcd9f4c6685109", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.318707713944435, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 9, "anomaly_count": 0, "campaign_key": "ccc045ad59e7bb0913b4f9a8a4e9e89118c5bd80", "event_fingerprint": "4b4b5ac1f7748018e51efb8704de5db6c78766c6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "39bce726e77596f8ea75b6f45ee74bf6", "payload_hash": "e07949b4bd6e8ea30119f377b08efb2a", "path_pattern_hash": "07bb9306fa50af07f9ffa6d9d05639e6" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "method": "GET", "path": "\/api\/.env.staging", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.staging HTTP\/1.1", "request_sample": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/api\/.env.staging", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.staging HTTP\/1.1", "request_sample": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0cbef7a104cad69400abd637da5cec8cf3bc2a37", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.staging", "request_line": "GET \/api\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.staging", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.staging", "request_line": "GET \/api\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.1.2 Safari\/603.3.8", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.staging", "evidence_snippet": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /.env.backup.txt	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.backup.txt UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.backup.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /.env.backup.txt Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0192 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.backup Ligne de requête `GET /.env.backup.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.backup.txt HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/5 Requête brute (extrait) GET /.env.backup.txt HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "e37a2d30641b7318e36aea4a6efc4a6f52fd2429", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "184b58f152ad4847d3c68a03f1b63b5f06475d83", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.408691899529769, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 6, "anomaly_count": 0, "campaign_key": "ec33a92e3678bebb8138e6337c3accd76d9f6a9a", "event_fingerprint": "1d58d9ec72b347de3c968ef665f5ba2e17a30d0a", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0192" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.backup" ], "pattern_ids": [ "pat-0191", "pat-0192" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e9032546a0e15e71740347880b3a2694", "payload_hash": "3d4786fd421c6882b4bc5553d220d841", "path_pattern_hash": "34c4e8aec1933ec66edde754c405cd53" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/5", "method": "GET", "path": "\/.env.backup.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup.txt HTTP\/1.1", "request_sample": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/.env.backup.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup.txt HTTP\/1.1", "request_sample": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "194b6ceddd0897cd7544f052c553ea4767360f6f", "protocol_details": { "http_method": "GET", "http_path": "\/.env.backup.txt", "request_line": "GET \/.env.backup.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/5", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.backup.txt", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0192" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.env.backup.txt", "request_line": "GET \/.env.backup.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.backup.txt", "evidence_snippet": "GET \/.env.backup.txt HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/5", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env.backup	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env.backup UA Mozilla/5.0 (Linux; Android 9; SM-G901F Build/PQ3A.190705.003) … Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G901F Build/PQ3A.190705.003) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G901F Build/PQ3A.190705.003 Requête brute (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G901F Build/PQ3A.190705.003) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Enc Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "486c552b10071a1321f524173af4f6d789973066", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "9dab8234c39ccb9ea2d77d85642de0c301ab4efb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 290, "payload_entropy": 5.459148411007904, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 9, "anomaly_count": 0, "campaign_key": "ccc045ad59e7bb0913b4f9a8a4e9e89118c5bd80", "event_fingerprint": "e9466c6576e46d9b9e6059d07c4e3c82dca2d92d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ee5308ef8fd78e0fad34d2d40efbe8b8", "payload_hash": "fb46a2ea3251bd489a3ba41cb27a0e50", "path_pattern_hash": "49a3b01836cfe2c6affa28c94f1fce0a" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003", "method": "GET", "path": "\/api\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.backup HTTP\/1.1", "request_sample": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003", "evidence": { "method": "GET", "path": "\/api\/.env.backup", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env.backup HTTP\/1.1", "request_sample": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b71605f77a562b8655bb76fbd3004c50b780f6a", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.backup", "request_line": "GET \/api\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrom\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.backup", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env.backup", "request_line": "GET \/api\/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrom\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env.backup", "evidence_snippet": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G901F Build\/PQ3A.190705.003", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /api/.env	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /api/.env UA Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/5… Émulateur HTTP WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /api/.env Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /api/.env HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 k8s-api Payload (extrait) GET /api/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 Requête brute (extrait) GET /api/.env HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "daef42a21df445f94f682246a0f12c5c5ec788d7", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "f5b7d21cf92d5caca6cd906725e72730e31bc18c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.413998311310375, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 9, "anomaly_count": 0, "campaign_key": "ccc045ad59e7bb0913b4f9a8a4e9e89118c5bd80", "event_fingerprint": "53246556ace5aff004c8e1f88123f5f2797ef8c5", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c6b3619039704febe848287f0873e60d", "payload_hash": "dd4a635ef92840e4000395ee64ed82d0", "path_pattern_hash": "3c658e3b68f996f41891a76e1d05a9a5" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36", "method": "GET", "path": "\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env HTTP\/1.1", "request_sample": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/api\/.env", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "k8s-api" ], "request_line": "GET \/api\/.env HTTP\/1.1", "request_sample": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4bb63c4297f60f7522165d5dac2fc2b7ee8a1a4", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env", "request_line": "GET \/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Sa\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/api\/.env", "request_line": "GET \/api\/.env HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Mobile Sa\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/api\/.env", "evidence_snippet": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Infinix X624B) AppleWebKit\/537.36", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_backup_file_scan", "http_probe_api", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /backend/.env.prod	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.prod UA Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) Apple… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /backend/.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML like Gecko) Version/7.0 Mobile/11D167 Safari/123E71C Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) A Requête brute (extrait) GET /backend/.env.prod HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML like Gecko) Version/7.0 Mobile/11D167 Safari/123E71C Accept-Charset: utf-8 Accept-Encoding: gzip C Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "2ce3214e6f6fd4aa2f050acb96e483555dcc17ca", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "ece1b00dd116de2d5cd1e616b647fb67b7d3b035", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 276, "payload_entropy": 5.376047519520861, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e9aa7eb82c3f99f7156c75b4028f16187b4e8ca4", "event_fingerprint": "a39fadb347c4d333e4feb9d4f7c0ed2fec1519bf", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3e8ea875e597ee50195c223d7022cee2", "payload_hash": "3d83ced2d6e7d65bc6340496923855fa", "path_pattern_hash": "06b37c283e0032a53442bbe10821cfeb" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) A", "method": "GET", "path": "\/backend\/.env.prod", "user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) A", "evidence": { "method": "GET", "path": "\/backend\/.env.prod", "user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "request_sample": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) A", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6b2068515551abae95f12cc2ee36c73c0a5762f4", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.prod", "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) A", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.prod", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.prod", "request_line": "GET \/backend\/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.prod", "evidence_snippet": "GET \/backend\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) A", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Scan de ports port scan syn · via HTTP:20080 · (reconnaissance) · → /env.backup	Élevée	Moyen · 47
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /env.backup UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /env.backup Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Moyen · 47 Confiance : Confiance 52 % — 2 tag(s) WAF Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /env.backup HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /env.backup HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebK Requête brute (extrait) GET /env.backup HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "4a089f08acea2fc398890e2ab42604a92a54d7ee", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "de881192e40b910ddadfeaa7d74737f8ac4fcb8e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 270, "payload_entropy": 5.369726831980522, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "428d96eb1dc3c8a6f4d58584c94bc90c7e69ffdc", "event_fingerprint": "a4801b117ba186d00cc9dd04b7f5d0b27c82fc42", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c4d723f771cce494730079f642dbfbc2", "payload_hash": "6e5f3786d2a8566aa66d3c68364905ce", "path_pattern_hash": "0913256c1ce2cf4361c479b44d591aa5" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebK", "method": "GET", "path": "\/env.backup", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.backup HTTP\/1.1", "request_sample": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebK", "evidence": { "method": "GET", "path": "\/env.backup", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/env.backup HTTP\/1.1", "request_sample": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b20b51918ae1545c72711f1dedff84cf32d06fe5", "protocol_details": { "http_method": "GET", "http_path": "\/env.backup", "request_line": "GET \/env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebK", "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.backup", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/env.backup", "request_line": "GET \/env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1.1 Mobile\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:20080 \u00b7 (reconnaissance) \u00b7 \u2192 \/env.backup", "evidence_snippet": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebK", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /app/.env.staging	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.staging UA Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Pr… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /app/.env.staging Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.staging HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Requête brute (extrait) GET /app/.env.staging HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Nokia6120c/3.70; Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Accept-Charset: utf-8 Accept-Encoding Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "8c2614bbf9f218a5d976ff58f743fe6b7c425646", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "e84f59fbbec8a04fdfc3078fbdf0ae4fd69640c6", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 285, "payload_entropy": 5.451778736821139, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e9aa7eb82c3f99f7156c75b4028f16187b4e8ca4", "event_fingerprint": "603ce7d694b4aca9e4f53d2294681a5313ce789c", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "01d2aa7a14467af5cbdbef13441abb73", "payload_hash": "1f1a8434ab8260a100736fce325e546a", "path_pattern_hash": "5a281530de78ccf813317373171371c8" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70;", "method": "GET", "path": "\/app\/.env.staging", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70; Profile\/MIDP-2.0 Configuration\/CLDC-1.1) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.staging HTTP\/1.1", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70; Profile\/MIDP-2.0 Configuration\/CLDC-1.1) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70;", "evidence": { "method": "GET", "path": "\/app\/.env.staging", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70; Profile\/MIDP-2.0 Configuration\/CLDC-1.1) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.staging HTTP\/1.1", "request_sample": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70; Profile\/MIDP-2.0 Configuration\/CLDC-1.1) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70;", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29374df8bd7100ec11a5d819f7186fcf061c132a", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.staging", "request_line": "GET \/app\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70; Profile\/MIDP-2.0 Configuration\/CLDC-1.1) AppleWebKit\/413 (\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70;", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.staging", "request_line": "GET \/app\/.env.staging HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70; Profile\/MIDP-2.0 Configuration\/CLDC-1.1) AppleWebKit\/413 (\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.staging", "evidence_snippet": "GET \/app\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.2; U; Series60\/3.1 Nokia6120c\/3.70;", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /backend/.env.old	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.old UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /backend/.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/ Requête brute (extrait) GET /backend/.env.old HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "e37a2d30641b7318e36aea4a6efc4a6f52fd2429", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "1f4d8d4518e413ad6b5a41c5ce61d38167670e32", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.397491870360269, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 9, "anomaly_count": 0, "campaign_key": "fed6f08a292ded163e11f270611ad96c3a1aef54", "event_fingerprint": "6149c0decab4a8ec362d1e3c0bc255bbbf5046c2", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e9032546a0e15e71740347880b3a2694", "payload_hash": "8e619d8d2739bf2e11e5c4f0f210e4aa", "path_pattern_hash": "253500a6a15b8bd3c8b0f4dfe71121e2" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "method": "GET", "path": "\/backend\/.env.old", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.old HTTP\/1.1", "request_sample": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/backend\/.env.old", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/backend\/.env.old HTTP\/1.1", "request_sample": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1df91e10a476a26076261f6dbc42d70af6e1b278", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.old", "request_line": "GET \/backend\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.old", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.old", "request_line": "GET \/backend\/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.old", "evidence_snippet": "GET \/backend\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /app/.env.bak	Élevée	Élevé · 70
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.bak UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36… Émulateur HTTP WAF 35 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /app/.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 70 Confiance : Confiance 100 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 Requête brute (extrait) GET /app/.env.bak HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "7402f00ae6093c6fffdcb612f330e0e3f19501dc", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "675fe9576f3ec7add08a15dd0c540b55e5bbfdec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.4112708800733795, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 70, "tag_count": 9, "anomaly_count": 0, "campaign_key": "fed6f08a292ded163e11f270611ad96c3a1aef54", "event_fingerprint": "ca773f3b637fa2cd76af232eabe9ba01ef1e97f9", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d3d5b419486e5c7e6816724fd79c2ba6", "payload_hash": "bd57839eab90050d60ea4c966328676b", "path_pattern_hash": "a68a9dfeaee6097716a18c2b9f43c5f9" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 70 }, "payload_preview": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 ", "method": "GET", "path": "\/app\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.bak HTTP\/1.1", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/app\/.env.bak", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/app\/.env.bak HTTP\/1.1", "request_sample": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a7b063f95288a4e034f596801812e3fc7e18d503", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.bak", "request_line": "GET \/app\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 70\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 70, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 70, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.bak", "request_line": "GET \/app\/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.bak", "evidence_snippet": "GET \/app\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /app/.env.production	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /app/.env.production UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /app/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /app/.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app/.env.production HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebK Requête brute (extrait) GET /app/.env.production HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "c475c0785fc038d264cf230cd29bfe5b8bef3561", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "9f1a3b476954729097b55b44dc605e9187baaeeb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.400797447626641, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e9aa7eb82c3f99f7156c75b4028f16187b4e8ca4", "event_fingerprint": "04bf565322b3319193bebfec3e68cfbd12b3a5dc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c0b8a55a9e00099e8a677a5b704e9aea", "payload_hash": "8f06a6e64720d88ae886eb0d25d3b116", "path_pattern_hash": "129b91fce99c27e6763c24ece35d5295" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebK", "method": "GET", "path": "\/app\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebK", "evidence": { "method": "GET", "path": "\/app\/.env.production", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/app\/.env.production HTTP\/1.1", "request_sample": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebK", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "58720d4ad56d6935868436a35030c1c3c1a8c230", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.production", "request_line": "GET \/app\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebK", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app\/.env.production", "request_line": "GET \/app\/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app\/.env.production", "evidence_snippet": "GET \/app\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebK", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 16:43:32 UTC	TCP	20080 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:20080 · (tentative d'exploit) · → /backend/.env.local	Élevée	Élevé · 69
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /backend/.env.local UA Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /backend/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20080 Chemin / cible /backend/.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 69 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux SIGMA-web-config-leak Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /backend/.env.local HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) App Requête brute (extrait) GET /backend/.env.local HTTP/1.1 Host: 62.3.50.33:20080 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0 Mobile/15E148 Safari/604.1 Accept-Charset: utf-8 Accept-Encoding: gzip Con Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "69986df8073bc4e9dcea9d68961ce79ecf16761a", "http_host_hash": "4777584404e5485a94144893d9097e3a998e7f75", "http_target_hash": "7a997ecf8c7c3ade11101024aba12e58dee560af", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.344069779050635, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 20080, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 69, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e9aa7eb82c3f99f7156c75b4028f16187b4e8ca4", "event_fingerprint": "844e2ee9b253fd7fbd6ab04727c54f51f66adc2e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 215, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "10fbc8133306ca7592821602d7f242e5", "payload_hash": "eef7e411cd57f654c04cd1bdc16fc500", "path_pattern_hash": "6e2a711f7323df4e4b7b37b3c8fb7ec7" }, "target_context": { "dst_port": 20080, "service": "http", "service_name": "http", "risk_score": 69 }, "payload_preview": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) App", "method": "GET", "path": "\/backend\/.env.local", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.local HTTP\/1.1", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) App", "evidence": { "method": "GET", "path": "\/backend\/.env.local", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/backend\/.env.local HTTP\/1.1", "request_sample": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Mobile\/15E148 Safari\/604.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nCon", "payload_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) App", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a6adf4a369e6b148e042352c636f7c2094d45812", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.local", "request_line": "GET \/backend\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Mobile\/15E\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) App", "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.local", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 69\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 69, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 69, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20080, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/backend\/.env.local", "request_line": "GET \/backend\/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0 Mobile\/15E\u2026", "port": 20080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:20080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/backend\/.env.local", "evidence_snippet": "GET \/backend\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:20080\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) App", "target_port_label": "20080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

34.80.127.27

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence