Détails IP 34.80.164.140

Synthèse exécutive

Profil de menace

Score de risque 88/100 Critique

Première observation 04/06/2026 17:15 UTC

Dernière observation 04/06/2026 17:15 UTC

Événements (période) 302

MITRE ATT&CK principal —

risque 68/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

web_attack

Comparaison ASN / FAI

ASN 396982 · 34.80.160.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 302 événements sur la période pour cette IP.

147.185.133.167 Scanner web 18/06/2026 22:06 UTC
35.203.210.21 Scanner web 18/06/2026 22:05 UTC
162.216.149.47 Scanner web 18/06/2026 22:04 UTC
198.235.24.222 Sonde port 18/06/2026 22:04 UTC
162.216.150.92 Scanner web 18/06/2026 22:03 UTC
162.216.150.232 Scanner web 18/06/2026 22:03 UTC
198.235.24.129 Sonde PostgreSQL 18/06/2026 22:03 UTC
162.216.150.38 Scanner web 18/06/2026 22:03 UTC

Événements (filtres)

302

Première observation

04/06/2026 17:15 UTC

Dernière observation

04/06/2026 17:15 UTC

Dernière activité (filtres)

04/06/2026 17:15 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 151 TLS TCP 151

HTTP

151

TLS

151

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8443 web_attack

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Aperçu payload

GET /services/backend/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) A

Port / service

8443

Recommandation

Investiguer

Confiance

98%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

302 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

302 événement(s) — page 4/7

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��td<5��nH���W��V [d�� &�� D�g�߫��8�yj�� ,G&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.734419083908621, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6321aa6c35a516efd11b0f4670afb3c7", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdtd<5\ufffd\u0001\ufffd\ufffd\ufffdnH\ufffd\ufffd\ufffdW\ufffd\u0013\ufffd\ufffdV\u0014\r[d\ufffd\ufffd\ufffd\ufffd\u0016 \ufffd\u0003\u0014\u001f&\ufffd\ufffd\n\ufffdD\u0012\ufffdg\ufffd\u0003\u0003\u07eb\u0010\ufffd\ufffd8\ufffdyj\ufffd\ufffd\n,G\u0001\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "222afcdf9f1503f08716ea79e8dd924a381ead8d", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��7zp�e:ʬ?�K��x�fP�#ae:�U�:�� �E4�Խ{ŦD.��%~nj�h��[��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.91460928854759, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ed03ebd2a8acf4a486bbc257251c28ca", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd7zp\u001a\ufffde:\f\u02ac?\ufffdK\ufffd\ufffdx\ufffdfP\ufffd#ae:\ufffdU\ufffd:\ufffd\ufffd \ufffdE\u001e4\ufffd\u053d{\u0166\u0011D.\ufffd\ufffd\ufffd\ufffd\ufffd\u0005%~nj\ufffdh\ufffd\u0014\ufffd[\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "5ae35c0f5a9f4df2d41dfb8cc9daf29c88993bd7", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��$�;��p��I�ߨ�0,�<�^�^l�� c3y &��f��t�봆m�+>O$��R��rX�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.84185255353324, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "0658126f8b7eb4259215a6277e66a2fa", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003$\ufffd;\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffdI\ufffd\u07e8\ufffd0,\ufffd<\ufffd^\ufffd^l\u0011\ufffd\ufffd c3y &\u0004\u000f\ufffd\ufffdf\ufffd\u001b\ufffdt\ufffd\ubd06m\ufffd+>O\u0014$\ufffd\ufffdR\ufffd\ufffd\u001frX\ufffd\u0018\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "357cc60fc8cd14930e2ae29cddda68d78f9822a4", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��Bl��!մ��G�� �׉]� >7�P4�(�� ̍i�E`a�߰�D��;�n��0��^�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8499109890096115, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7a26ad18330e3003b79e6464ad12dd83", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Bl\ufffd\ufffd\u0016!\u0574\ufffd\ufffd\u001fG\ufffd\ufffd \ufffd\u05c9]\ufffd\n>7\ufffdP4\ufffd(\ufffd\ufffd \ufffd\u030di\ufffdE`a\ufffd\u0003\u07f0\u0002\ufffdD\ufffd\ufffd\b\ufffd;\ufffdn\ufffd\u0010\ufffd0\ufffd\ufffd\ufffd^\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "dea2ca07e1219e04424d952db551a09088d57648", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��7�� TK\&u~�Me�G�� o�$�͝!f��~><��ߴҘT�Z�b��ڂ&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.883441884566311, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "278a07dfc30cf4daabc77d21eb27bd0d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00037\ufffd\u0015\ufffd\n\ufffd\ufffd\ufffd\ufffd\u0002\ufffd\u000e\ufffd\ufffd\ufffdTK\u0000\\&\u001cu~\ufffdMe\f\ufffdG\ufffd\ufffd \ufffd\n\u0011o\ufffd$\ufffd\u035d!f\u0012\ufffd\ufffd~><\ufffd\ufffd\u07f4\u0498T\ufffdZ\ufffdb\ufffd\ufffd\u0682\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "cc7b0876262ea99f6359c6fae1e8e3d96a59f08e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��#7��m��Q3Nm>��J�7��ik�Y� ��<h"ub��3B5I\|2TK�h�lC1&Z��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8949213506625, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a5b661f17269b68bfa5e7dc72053c773", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000f\ufffd\u0014#7\ufffd\ufffd\ufffdm\ufffd\u0016\ufffd\ufffdQ3Nm>\ufffd\ufffd\ufffd\ufffdJ\ufffd7\ufffd\ufffdik\ufffdY\ufffd \ufffd\ufffd<h\u0013\"ub\ufffd\ufffd\ufffd\u00053B5\u0001I\|2TK\ufffdh\ufffdlC1&Z\ufffd\u001d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "9fd6e4794b07c989ec4659d8304383fe9f5f80d5", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��s$5Z��puh5UR&2N��z�A� ��{\|�JF��ZJ��fk��e�#&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.810042656800448, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ab97cd3e73341f83cb2aa285f1fb8a4e", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffd\u0006\ufffds$\u000e5Z\ufffd\ufffd\ufffdpuh\u000e5UR&2N\u000f\ufffd\u0006\u000b\ufffdz\ufffd\u0017A\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd{\|\ufffdJF\ufffd\ufffdZJ\ufffd\u0019\ufffd\ufffd\ufffd\ufffdfk\ufffd\ufffd\ufffd\u0005\ufffd\u0002e\ufffd#\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "49287d9e6b15eec5e3ac711096369f1a29cc07c9", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Moyen · 48
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /env.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /env.txt Confiance classification 86% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 Payload (extrait) GET /env.txt HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975F Build/PPR1.180610.011) Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "3faae446fec7a86eb454657cf354f1db0465fa00", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "43063baf0fda73950dd575fa216e503f70ad04be", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 296, "payload_entropy": 5.54052207238134, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 2, "anomaly_count": 0, "campaign_key": "d91e3f95a868773e5e517e1348c53a8cf0750a41", "event_fingerprint": "c0f547ed3bb93b2c1fa5d7f6f3eb170b8c7c1f32", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1f1a1a18a2e7980b5446e549d8c16156", "payload_hash": "0e4682d3b172ab01e1bcb5abc0192df7", "path_pattern_hash": "4ff48f74005d677acf48e527b71c7273" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.86, "classification_confidence": 0.86, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G975F Build\/PPR1.180610.011)", "event_signature": "2f6b09b8d7e75f6f136c1dd25bdd34bef86994da", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Moyen · 48
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /env.backup Confiance classification 86% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/79.0.259819395 Mobile/17A5556d Safari/604.1 Règles WAF 950326:rce-0 950470:nosqli-3 Payload (extrait) GET /env.backup HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "9437cba28d03b8e367f23e3163029fd837235870", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "de881192e40b910ddadfeaa7d74737f8ac4fcb8e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.448035195099917, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 2, "anomaly_count": 0, "campaign_key": "d91e3f95a868773e5e517e1348c53a8cf0750a41", "event_fingerprint": "e8117b1227de1f2dd6616b81129036a487d31c4a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9ceb6144297d4f6896850fa4a6c56253", "payload_hash": "d0eb7ce24d7748750898a2a0f2a1786f", "path_pattern_hash": "0913256c1ce2cf4361c479b44d591aa5" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.86, "classification_confidence": 0.86, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 ", "event_signature": "299f061f0877f67e73e5118ff824c33fed2e7035", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_path Cible HTTP GET /env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /env.old Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 YaBrowser/19.6.2.594 (beta) Yowser/2.5 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950521:leak-8 Payload (extrait) GET /env.old HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "345534308daf2d6e65ce84490bca254cbbd2ee3e", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "f2c0dc89039abb7b503900ef73d0ee05f89133ed", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.496929628703978, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e69bd70c54d7cc8c5bdfc4f010aae6e34d4dc210", "event_fingerprint": "c41e791ccc17dbd7ddcd672235596129fb287ace", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "542aa39edacb0be66627cc3141548d47", "payload_hash": "8510f2a548629484a464ef8441b70b25", "path_pattern_hash": "7cac178e79fe10bf41da42670526b73d" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko)", "event_signature": "3719aa801ea2e28516eef30a57b98601fe3594fa", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_path", "http_probe_env" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build/GINGERBR Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "61dbed70d007c0d32cf7c2124e13335ae0923850", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "f5b7d21cf92d5caca6cd906725e72730e31bc18c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.464805513864075, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "c855adecc6e9cb4cd666cac65acf141a580e7446", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5acdde29da57c3be2f0d7b7ed6cacb40", "payload_hash": "0d3fde3cbea9672163f1e7c30fa9204d", "path_pattern_hash": "3c658e3b68f996f41891a76e1d05a9a5" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBR", "event_signature": "07de58c995844a38576d634753e9d1964e9c2c3d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.production Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.8 (KHTML, like Gecko) Version/10.1 Safari/603.1.30 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.production HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "production", "http_ua_hash": "5dd087a331ea311d96347229c9ef95cedaf70127", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "968e975abb5bec4d137f79208dfd090d8456c104", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.352574944954645, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "ec517227fd4b41548921fb340883dc53b8ebbf05", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f559ed575029a7c81794451ec38d8f5d", "payload_hash": "3a0c4bb58c087e3d75d6d4e695271683", "path_pattern_hash": "3695b3884d13830f81357e8fc9151d2d" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKi", "event_signature": "efe9450fd4bd8f9bd8271d8e712b79a8372c1e2a", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 65
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950521:leak-8 http_backup_path Cible HTTP GET /env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /env.bak Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF 950326:rce-0 950470:nosqli-3 950521:leak-8 Payload (extrait) GET /env.bak HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "2bfbe271706a862f6724b92d23435ed5f9e6cb45", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "a267c1a6bb1f8e78acd54116556c5ca3263f5088", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.406046036481474, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 65, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e69bd70c54d7cc8c5bdfc4f010aae6e34d4dc210", "event_fingerprint": "48ae862913de0d0e701b1af939821f161a999ac2", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "470d3fdd8e48dbfcf47545bf77c6e6cc", "payload_hash": "d0da575945fb6e0bc2dd26b702efe954", "path_pattern_hash": "8c7af96cfa7ab0d2b434d66566500145" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit\/605", "event_signature": "dd14db4208381596dcd73ce461b7c22da09cdc52", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950521:leak-8", "http_backup_path", "http_probe_env" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.prod Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.prod HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537. Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "prod", "http_ua_hash": "3dc0bf3f45ba48141dd1c49a53ba8c02a61c5fde", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.404924180180182, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "c31abb3ca252885b68067e74cacae11b3c3d9ed1", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5b8b7ce0b8b73a52ccc26430dc745860", "payload_hash": "8396349c21a16998393561aa4a609a36", "path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.", "event_signature": "47e82bcc0f880f8e912034027cf4198e941b8cd7", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.local Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.local HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "local", "http_ua_hash": "4e6c05989d2ca84ac2660b4faca5a241d97ecc17", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "edb025f9fa0e5ca4830590504e5c719dffe9f0d2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.436272998557508, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "8aba8b4d0c0eaede788a082034746767ebb91e26", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2387428a1cf084142d93ceb87d13a00a", "payload_hash": "2e5091f44f5f3c2b9afd5982d556c3be", "path_pattern_hash": "593041543fc7e9468b6d0efddae98740" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, ", "event_signature": "add72d57aba459306d7847c3ae63cc3d353c188d", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.backup Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.32 (KHTML, like Gecko) Chromium/25.0.1349.2 Chrome/25.0.1349.2 Safari/537.32 Epiphany/3.8.2 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.backup HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.32 (KHTML, lik Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "backup", "http_ua_hash": "092150be7aa4c2fa32f323035d62a60dce4a172c", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "9dab8234c39ccb9ea2d77d85642de0c301ab4efb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 274, "payload_entropy": 5.454793469272719, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "db35d7576f23d501e75763c80b9674882cdd07f8", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "11e8bca4b4ce0846300e6ebb5343143c", "payload_hash": "1c66b74266f4a195b1be1f1fc2e49557", "path_pattern_hash": "49a3b01836cfe2c6affa28c94f1fce0a" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.32 (KHTML, lik", "event_signature": "1a9a1bf86684b76c1127ba172b10741362e06a12", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 33 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /api/.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.old Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent iTunes/9.0.2 (Windows; N) Règles WAF 950326:rce-0 950468:nosqli-3 950514:leak-1 950521:leak-8 950600:k8s-api Payload (extrait) GET /api/.env.old HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: iTunes/9.0.2 (Windows; N) Accept-Charset: utf-8 Accept-Encoding Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "old", "http_ua_hash": "62c7a4f561331db55e9d732ac42a3e6a3b0a6719", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "1eaaed3d5813b8a0c46124d29705f048ce880ab8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 157, "payload_entropy": 5.175898552519463, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "85f5865209c7d41bc7ce67993875466010b241c7", "event_fingerprint": "75b6f82865c60a1a1f08421daa38d803ba87f00a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "80c7a2ec952a92279503d16dd31aeb9d", "payload_hash": "a73bdd92b808bb6c6e40bb97753f14ea", "path_pattern_hash": "f24df3f6a48f5ead7ac9d4853493d4fa" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: iTunes\/9.0.2 (Windows; N)\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "event_signature": "00638614145f13cab248e5f7728e45cc89de01a7", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_path", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.staging TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.staging Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.staging HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/5 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "staging", "http_ua_hash": "7382b5f3b254c99a0d40bda7aefd386539e0be7a", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "558189df00dd1f382a665a69aadcd9f4c6685109", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.413418221772652, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "f0ee20c55e8a566bf3aedf34b9eccb24baafe950", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6a2411e8c5387a0c6ebf7396c4178f0a", "payload_hash": "a677263f9a490dce04d1db33da5963dd", "path_pattern_hash": "07bb9306fa50af07f9ffa6d9d05639e6" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit\/5", "event_signature": "ee7f030d0d3ab203d88c6daa2fc009233d7e26d9", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 47 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.bak Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent POLARIS/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS/6.01/WAP) MMP/2.0 profile/MIDP-2.1 Configuration/CLDC-1.1 Règles WAF 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950521:leak-8 950600:k8s-api Payload (extrait) GET /api/.env.bak HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: POLARIS/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS/6.01/WAP) Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "bak", "http_ua_hash": "568397da4e0b8a55997a571dc8bd1bcefcb2c326", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 244, "payload_entropy": 5.451048150281148, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 10, "anomaly_count": 0, "campaign_key": "a6a95bb8f3ec5ca1ffc5c08fbe6f181dc464ca1d", "event_fingerprint": "62f804261f3e55a2ee8faca520eec05825dad351", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9e774193b7bc99d4d8015e024b0dd803", "payload_hash": "409a7fac9ce463420656cc6783f7debe", "path_pattern_hash": "704472054da186f49a4245e261c91fda" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: POLARIS\/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS\/6.01\/WAP) ", "event_signature": "40ffac4d82baaaeb0515f6eea51f274e6bda4bc3", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "950600:k8s-api", "http_backup_path", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 31 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /api/.env.dev TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/.env.dev Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/.env.dev HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.1 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "dev", "http_ua_hash": "2812e13e86f1b79c9183682e95e7282e60daef11", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "df0da649347f6e8b30ebfd6075798e279a79356e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.398420153698775, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 7, "anomaly_count": 0, "campaign_key": "f5a531dc4d55bd5a10abec753c40912d86b8ec03", "event_fingerprint": "c3844b22fbc0f56391d8b49902e63d759fc20d60", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0058a2ac699769c7006f3c5769e73a54", "payload_hash": "6caba880a0b71d3d39a559b5d11ff851", "path_pattern_hash": "a65c42973e65ed0c7793c8c71a0195da" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/.env.dev HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit\/535.1 ", "event_signature": "881b63d66fe097eafc010374ff9ab0d3483f0306", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/v1/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux U; en-US) AppleWebKit/528.5 (KHTML, like Gecko, Safari/528.5 ) Version/4.0 Kindle/3.0 (screen 600x800; rotate) Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/v1/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux U; en-US) AppleWebKit/528.5 (KHTML, like Geck Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "210458316e35a53f92d643751372625488481a3f", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "510d89ba7f87ce49d7697f92088f4049153aa93e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.324664556317972, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 9, "anomaly_count": 0, "campaign_key": "705cfaaed5e6ce9a8e5db28abc943f5fd2a7fa94", "event_fingerprint": "194b6e995c85ea6628b0330d24a746a3d23da06f", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6ec3e2c59b2f2d756d99cd4d2f295a13", "payload_hash": "b5a9e34f4163cc0cc9ea095349e0e746", "path_pattern_hash": "5df89d300eb37d420581ac8576ea9498" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux U; en-US) AppleWebKit\/528.5 (KHTML, like Geck", "event_signature": "1d8f125c212ef3129ea863881c55487dc039f0a0", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_k8s_probe", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/v3/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080716 (Gentoo) Galeon/2.0.6 Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/v3/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/2008071 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "ee51e06bab42e31123dc56d3e7441fe31d3bdca8", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "bd51d82ebe68616089e33c9b7e8bd3dca93e4339", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.2734668372216, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "69e16fbfd67fdc1ca703b71ab9525ab250e6d3d9", "event_fingerprint": "cfa323b7daf16ee140270caedd3ac960f432bd77", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7c03a0ceb5e41705263eecefeb91e5ab", "payload_hash": "a59a2654a11b0b2b3d65c11048d0d230", "path_pattern_hash": "04909e92bace7d0131f14c363849c629" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko\/2008071", "event_signature": "d14fe4921c0a21b2145992114e0222624ff637c0", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v1/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /v1/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; INE-LX2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /v1/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; Android 9; INE-LX2) AppleWebKit/537.36 (KHTML, lik Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "a71f77221055a0d4e74cfa314d44d4af62da0bec", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "0f6d25494f66c35cd0bd7eb1054d443c9b0c6f63", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.476185424066887, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cc832f25e0b07a7f85f8744ae37530827f9a14ef", "event_fingerprint": "2bde3078549a0be1f9e77d7ede33c6a866248e12", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ba19e4f828ab33163b908119e96dcc78", "payload_hash": "af6e04adc942337e12319fcdcbb22272", "path_pattern_hash": "a29d1f8ccacc51ac2e54fe6653b8d5f0" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; INE-LX2) AppleWebKit\/537.36 (KHTML, lik", "event_signature": "e997ec5456c0140e309986348551e01b30ec62a8", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 69
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 39 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /api/v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /api/v2/.env Confiance classification 100% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36 Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 950600:k8s-api Payload (extrait) GET /api/v2/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "env", "http_ua_hash": "1215bf389d17e9a124a263647d6cb18b12708bbb", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "cc4b30112d6bf6eb67e9d97dbf1e56d5dce1ab0e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.423846486073738, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 69, "tag_count": 8, "anomaly_count": 0, "campaign_key": "69e16fbfd67fdc1ca703b71ab9525ab250e6d3d9", "event_fingerprint": "033337cb8c0f0208e7c09b26a7e74bddbddf7b65", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "03d4c03d9b83f0d9bab0a6238dc1efeb", "payload_hash": "bf0aee4ec8f088b01d003fbbde36e59c", "path_pattern_hash": "45a8106651a0a44c3f11053706f8aead" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 1, "classification_confidence": 1, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit\/537.36", "event_signature": "281f1e96be19905484bb866834af9f9956a98b1b", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "950600:k8s-api", "http_probe_api", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v2/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /v2/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en; rv:1.9.2.28) Gecko/20120308 Camino/2.1.2 (like Firefox/3.6.28) Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /v2/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en; rv:1.9.2.28) Gecko Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "2ceb20074286d747bbd1d19fab53e1255939196d", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "79d69dbab75f7603ce6f8ff1846eda4ce95a3fd2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.294585885538031, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cc832f25e0b07a7f85f8744ae37530827f9a14ef", "event_fingerprint": "e06d40dd0d0d40dd155d90bac3ae0d3d6b041a4a", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2ca2153ed425d9203d279da61abf252c", "payload_hash": "641c21ec667fed63c1d4da42d7a961ef", "path_pattern_hash": "ea63ee477c90ac313ab228a937b8deee" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.4; en; rv:1.9.2.28) Gecko", "event_signature": "81d93157d835df2a015518ebd26f0a9aed962106", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��י.�Վ9�W�{'��x�t�� z�� 1�!�-lJ��"�V� ��[��o�ɸ&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.831989160489645, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "93abe675936852e0bb7c423289414ec1", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006\ufffd\ufffd\u001a\u05d9.\ufffd\u054e9\ufffdW\ufffd{'\ufffd\ufffdx\u0006\u0001\u0002\ufffdt\ufffd\ufffd\r\ufffdz\ufffd\ufffd 1\ufffd!\ufffd\u001f-lJ\ufffd\ufffd\ufffd\ufffd\"\ufffd\u000fV\u0002\u0018\ufffd\t\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffdo\ufffd\u0278\u0000\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "7a52f60eb4166084d4832b8ffc5da1bf668d18a4", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 35 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /v3/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /v3/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Règles WAF 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /v3/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build/cupcake) A Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "935d1e1c30720eba7c7eae6793f23ac91e0613be", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "8c6c0cf35b21182c44d1fbe7c55901c2e77c5cbc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.370585245877615, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cc832f25e0b07a7f85f8744ae37530827f9a14ef", "event_fingerprint": "2fa43b6ce29cfe6548f59f4e0d629471f51e9a6d", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "32269b3f208dd697f5433592a7a03cb7", "payload_hash": "ae0e62ed051f636d1e0a44e16d71f25c", "path_pattern_hash": "b9266b5e3818db8e42f016e0af085277" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.1; en-us; HTC Legend Build\/cupcake) A", "event_signature": "49343f83300ae7991b5d9d43c80a2bc73005ba72", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Critique · 85
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 21 Recommandation Bloquer (recommandé) Tags 950326:rce-0 950468:nosqli-3 950514:leak-1 http_metasploit_ua Cible HTTP GET /prod/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /prod/.env Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Règles WAF 950326:rce-0 950468:nosqli-3 950514:leak-1 Payload (extrait) GET /prod/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "26af3f474502b6ee6974e1ecd11c9f00f48ffd48", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "7702579be3ca2d14cb80324c6a749f13cc1e6ce1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.334676176829176, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 92, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 3.5, "risk_breakdown": { "waf": 92, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 85, "tag_count": 5, "anomaly_count": 0, "campaign_key": "830da8cbe65d15b6b8432ff36c8f7b8a52487026", "event_fingerprint": "e2386e14a0c880227210a09cbedb1d512f937187", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6abf26095f94f80be82043d407fbb555", "payload_hash": "c0992c549b300716c951c79ffeb52e2b", "path_pattern_hash": "e986d9a8713d4af4d188b7a61ad378ee" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "block", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/prod\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11) XV6800", "event_signature": "2ed3e684118d5eb40a9d96ac6590a6a496a6931b", "ban_policy": "advisory_block", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950514:leak-1", "http_metasploit_ua", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /production/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /production/.env Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Gecko/20100907 Firefox/4.0b6pre Camino/2.2a1pre Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /production/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Geck Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "f47b9a59f83ff87c1c152341369541a64e22a21e", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "0e5da18e94a87fd88e6a09d81109dbf41d7bea9b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.3235147062247785, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 5, "anomaly_count": 0, "campaign_key": "67a24eb9ba368d181c26762f2e888dace4031526", "event_fingerprint": "699790e5132320b83698b38fd334260c0875ff7e", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f9311593796430f2654628d24dd80f1a", "payload_hash": "54394658eeb5922640a2a281d7a344a5", "path_pattern_hash": "ea627d9d22b8cf889f18c35c4c7d909f" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/production\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b6pre) Geck", "event_signature": "9eba88912bbe338f797f07a6d3965ab4152c914c", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��r��F;�L07�=�i=�\|tjD�pd�� ǘ ��a�U�GO�S[Ib�.�V��b)��Nx� Q&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.938741385286326, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4484b1d2fbbc80c0fb623a34c550eba6", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003r\ufffd\ufffdF;\ufffd\u0016L07\ufffd=\ufffdi=\ufffd\|tjD\ufffdpd\u0004\ufffd\ufffd\ufffd\ufffd\n\ufffd\u01d8 \ufffd\ufffda\ufffdU\ufffdGO\ufffdS[Ib\ufffd.\ufffdV\ufffd\ufffd\ufffdb)\ufffd\ufffdNx\ufffd\r\fQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "8997071bc550447502cc41f289a4451281722e8b", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ����-{��.Zx�AF\|:?� ��QC �, QR=��Um�K� ��[��$�O��)f&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.908698787246298, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "294f8441ed9eb97663f0fcfa5df2c752", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-{\ufffd\ufffd.Zx\ufffdAF\|:?\ufffd\r\n\ufffd\ufffd\ufffdQC\t\ufffd, QR=\ufffd\ufffdUm\ufffd\u0015K\ufffd\t\ufffd\ufffd\u0014\ufffd[\ufffd\ufffd\u001d$\ufffdO\ufffd\ufffd\ufffd\ufffd\ufffd)\u0010f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "d5f9219171401e62fd07b0806f05955f52fd9522", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /staging/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /staging/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/75.0.3770.90 Chrome/75.0.3770.90 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /staging/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like G Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d21ee26acbbd7d2b725d10a10b9b32db730ec86f", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "111415a347404bdd37fcf414f912f654289a0484", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.450422646420936, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "0b5a8d2d3362940b1190bddc4338621237cd1776", "event_fingerprint": "e5b727908b7070ca7035948541b947f35cd77bc8", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "128099109897df517e3e18887fd30042", "payload_hash": "c62026bf6787c62888c85b9f007297cb", "path_pattern_hash": "65b91a5bf45b2313cae0e22cf01533dc" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/staging\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like G", "event_signature": "4906d18a7a5794f60404c268c21f56529a4a139f", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_staging", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /stage/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /stage/.env Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /stage/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit/537.36 (KHTML Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "ed9b215da6d1db83e11a82875289d9e0c24c2f00", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "737ca670329de18dc663a9b1a810e4d99c607cf0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.407042032297676, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 5, "anomaly_count": 0, "campaign_key": "67a24eb9ba368d181c26762f2e888dace4031526", "event_fingerprint": "0a81ad828dfa69b87588990b0f8e2a8a8dce1adb", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "02f8c8c2155f15629f33f94563e29f52", "payload_hash": "9d2d25e83e65d444a9e71d792c21dd8c", "path_pattern_hash": "25b2f069e3141e0796938ca9e4e845aa" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/stage\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit\/537.36 (KHTML", "event_signature": "0a9cebc41394204c86c5a269d3445dd07821a4d1", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��'٫{��yx��~�Y�ݮ�Y�`�Tg(V�l 3��u�~��f�y� �R�Θ��&d��\&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8785419742035945, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "37fa0272293a4dcfaa8badf803ea9f1e", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd'\u0000\u066b{\ufffd\ufffdyx\ufffd\ufffd\ufffd~\ufffdY\ufffd\u076e\ufffdY\ufffd`\ufffdTg(V\ufffdl 3\ufffd\ufffdu\ufffd\u001b~\u0017\ufffd\ufffd\ufffd\bf\ufffd\u0017y\ufffd\u0018\r\ufffdR\ufffd\u0398\ufffd\ufffd&d\ufffd\ufffd\\\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "e57ba0bca3d42cbcf85e33870db05e24fc834c5a", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��tX��c�'1��]v'��[�~�Tv��&unw �X��l��R�K `e��З�{��;��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.885048131805357, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c1a253f91be34b79d15d707a9435431a", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\u0004X\ufffd\ufffd\ufffdc\ufffd'1\ufffd\u0003\ufffd]v'\ufffd\ufffd[\ufffd~\ufffdTv\ufffd\ufffd\ufffd&unw \ufffdX\ufffd\ufffdl\ufffd\ufffd\ufffdR\ufffdK\t`\u0001e\ufffd\ufffd\u0417\u000b\ufffd{\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "5094863c68e3fca9f38c2cfc3a7a09c829c6a191", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	http	web attack	Élevée	Élevé · 68
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /dev/.env TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8443 Chemin / cible /dev/.env Confiance classification 98% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/71.0.3578.98 Chrome/71.0.3578.98 Safari/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950514:leak-1 Payload (extrait) GET /dev/.env HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "env", "http_ua_hash": "d362c219ceda8e4202c2ddf7f91be31b757c6d7b", "http_host_hash": "ca23b5d84feb2280b2be7602d1fc165f90b06f00", "http_target_hash": "95dbd9173b5580a94a3583c1e8d31bee303be7a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.469218785428542, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 68, "tag_count": 6, "anomaly_count": 0, "campaign_key": "0f79a9dfd134b647b674d79aba8489579c339485", "event_fingerprint": "5004701c90040bd0b7ad53d0a924c8aebba27214", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9d2ef4da67532251616f8edab66509af", "payload_hash": "9d2f62f9e5aa8ea4b1b4220e4e4eef86", "path_pattern_hash": "5776ea19ec2f88a0568ff0bc7de6e909" }, "target_context": { "dst_port": 8443, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.98, "classification_confidence": 0.98, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/dev\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "event_signature": "8bde25cce34e066819214f29c212b8db3441a2fd", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950514:leak-1", "http_probe_dev", "http_sensitive_path" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��?@��xjLl�v��ar�a�"<��Kx ��k�FE�I��G��O� ��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.853352026672001, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d55bbe78a341555ada7d67712e9bac57", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd?@\ufffd\u0014\ufffd\u0010\ufffd\u0007\ufffdxjLl\u000f\u000b\ufffdv\ufffd\ufffdar\ufffda\ufffd\"<\ufffd\ufffdKx \ufffd\ufffd\ufffd\u0005\ufffd\ufffd\ufffd\ufffdk\ufffd\u0001FE\ufffdI\ufffd\ufffd\u001a\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffdO\ufffd\r\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "58bb3267a1d375a78a6e8fe14e02944ef4778f4a", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��ڼq>��byU��3�432�:�e�v͡#B� <�Ywc�� p��ĤI�b�'��;��f&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.847751756605277, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a612fff11c07bffca581db827e7d42ac", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u06bcq>\ufffd\ufffdbyU\ufffd\ufffd\ufffd3\ufffd432\ufffd:\ufffde\ufffdv\u0361\u0004#\u0003B\ufffd\u001b <\ufffdYwc\ufffd\ufffd\np\ufffd\ufffd\ufffd\ufffd\u0124I\ufffdb\ufffd'\ufffd\u0012\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffdf\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "bd9aad44b468e5819ad7e0317ff33a6202125c61", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��1H �S��~�4�V��:y� ��G<ɈJㄿwΓr�'ر� kV,j�o�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.87082752187667, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "bb29487d5ef2bced41ec7b6232755b3d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\ufffd\ufffd\ufffd\ufffd1H\r\ufffdS\ufffd\ufffd\ufffd\ufffd~\u001c\u0014\ufffd4\ufffd\bV\ufffd\u0016\ufffd\ufffd\ufffd\ufffd:y\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdG<\u0248J\u313fw\u0393r\ufffd'\u0631\ufffd\tkV,j\ufffdo\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "d31adbaf8eb92cdb2013cca5d5e0155baa75756c", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��c=��voY�7��}Nbƥ,�S��Y ��C��D[��\|=�w�ŭ1v�W�N!��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.736560823469755, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "812f20dbc52a2afa030220db8f4a4da5", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c=\ufffd\ufffdvo\u0014Y\ufffd7\b\ufffd\ufffd\u0006}N\u0004\u0002b\u01a5,\ufffdS\ufffd\u000f\ufffd\ufffdY\u000f \ufffd\ufffdC\ufffd\ufffdD\b[\ufffd\ufffd\ufffd\u001d\u0016\|=\ufffdw\ufffd\u016d1v\u0017\ufffdW\ufffdN\u0013!\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "cc5a5d606cdf30c1c19cd30e40e716ded47b2025", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��9�V g7�T珦��?-�Ņ��:�iE.�F eu��}��Ou�POML��4i�H��RR΍}�d&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.9167593462644845, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "373f2310e523e34e3d470415359864fb", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u00019\ufffdV\t\u0004g7\ufffdT\u73e6\ufffd\ufffd?-\ufffd\u0145\ufffd\ufffd:\ufffdiE.\ufffdF eu\ufffd\u0004\ufffd}\ufffd\ufffd\ufffdOu\ufffdPOML\ufffd\ufffd4i\ufffdH\ufffd\ufffdRR\u038d}\ufffdd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "ac3da8823af286824d6ec69b1cf9349bb34acb52", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��s��Z� $h(��@M�6M��]�i+�f]w�� l��5e�x�� S�a�K��yo&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.840227958892321, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "7996c5ea00d2f543a5c126a1d5ed0524", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s\ufffd\ufffd\ufffdZ\ufffd\t$h(\ufffd\ufffd@M\ufffd6M\ufffd\ufffd\ufffd]\ufffdi+\ufffdf]w\u000f\ufffd\ufffd l\ufffd\ufffd5e\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\nS\u0002\u0004\ufffda\ufffdK\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdyo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "b478826d64210f80fb036e72dae593c63a28fb34", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��)t��'7�.�\|�[�H�\|)MI� ��fsU��W��xB��+;��q(��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8250108862874335, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "4a0248194e5e46ede44e3a0acbfdb5d4", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd)\u0003t\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd'7\ufffd\u0001.\ufffd\|\ufffd[\ufffdH\ufffd\u0019\|)MI\ufffd \ufffd\u0016\ufffd\ufffdfsU\ufffd\ufffdW\ufffd\ufffdxB\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\u0012;\ufffd\u0001\ufffdq(\ufffd\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "7b130c9762448cf8d7695885ebeba0b18f35e2e7", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��2��X��9]<r�s+,�Ґ��~L T�N��4E��?XĻ��2�+� ��t@&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.829609047422181, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "e130160eca6adbf2e36c720b41699c0d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd2\ufffd\ufffd\ufffd\u0014X\ufffd\ufffd\u0018\u0005\ufffd\ufffd9]\u0013<r\ufffds\u0016+\u0011,\ufffd\u0490\ufffd\ufffd~L \u0001T\ufffdN\ufffd\ufffd\u001c\ufffd4E\ufffd\ufffd?X\u013b\ufffd\ufffd2\ufffd+\ufffd\r\ufffd\ufffd\ufffd\u0012t@\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "ca9db3cae1649bab4273b7932b92435c5a1e5c19", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��8uN.��sM�G��<�TfaO�4� ��?�9��\|��W8��F�,&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.829180185125717, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5e31bf6066ccb26e0b94fb178a01a68d", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\b\ufffd8uN.\u000f\ufffd\ufffd\ufffdsM\ufffdG\ufffd\ufffd\ufffd\u0007<\u0013\ufffdTfaO\ufffd4\ufffd \ufffd\u0018\u0000\ufffd\ufffd\ufffd?\ufffd9\ufffd\ufffd\|\ufffd\ufffd\ufffd\u0010\ufffd\ufffd\ufffd\u0004\ufffdW8\ufffd\ufffd\ufffd\u001dF\ufffd\u001e,\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "f61d340d81209bb5eb591b5a79d333b9b2680a74", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��e ��T5�r^?��C \|��X�v� .��=<�Ǌ��~��.��&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.848546050906512, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "0baa832f4b98ab5c5afc6eafc0c60363", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\n\u000e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\u0099\u00005\ufffdr\u0011^\u0004?\ufffd\ufffdC\n\|\ufffd\ufffdX\ufffd\u000fv\ufffd .\u0014\ufffd\ufffd\u000e\ufffd=<\ufffd\u0005\u01ca\ufffd\u001d\u0017\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd.\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "5709b524e3cba50bab2e70c98825ed728ad90cd8", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��]�Pq��͙�RPh� ��%z��I�Q �0Z�͛��Cb�4��1斛`h��i�$�O&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.810663606544857, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6b6a69a79d40ec7a2a349eb74e33b1a1", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003]\ufffd\u0011Pq\ufffd\u0013\u000b\ufffd\u0359\ufffdRPh\ufffd\r\ufffd\ufffd\ufffd\ufffd\ufffd%z\ufffd\ufffd\ufffd\ufffdI\ufffdQ \ufffd0Z\ufffd\u035b\ufffd\ufffdCb\ufffd\u00014\ufffd\ufffd\ufffd\ufffd\ufffd1\u659b`h\ufffd\ufffd\ufffdi\ufffd$\ufffdO\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "be08290d5f1c8a20fa139f89c64ee75cbc00c925", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��gL��Q��_3� qb�众)��3��P�W� �+^hD�k�7z�F^��1Cʿ-EX�S&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.827214096449273, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d9e1ca4c37a26db5b9264bb836306058", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003gL\ufffd\ufffdQ\ufffd\u001a\u0017\ufffd_\u00173\ufffd\nqb\ufffd\u4f17)\ufffd\ufffd3\ufffd\ufffd\ufffdP\ufffdW\ufffd\n \u0006\u001b\ufffd+^hD\ufffdk\ufffd7z\ufffdF^\ufffd\u0002\ufffd\ufffd\ufffd\ufffd\u001d1C\u02bf-EX\ufffd\u0019S\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "e29d3c02a75c597601c9d9191c22e6ca24957c58", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��z_�M��#D-�L��0��T�0d�n8 ��Eʣe��e�z�itfw��ZI�_�ť:$&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.892266441128498, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "870e8cc3243c64fa144727181ce0a4d3", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdz_\ufffdM\u0010\ufffd\ufffd\u0011\ufffd\ufffd\ufffd#D-\ufffd\u001eL\ufffd\ufffd0\ufffd\u001b\ufffd\ufffdT\ufffd0d\ufffdn8 \ufffd\ufffdE\u02a3e\ufffd\ufffde\u001d\ufffdz\u0005\ufffditf\u0002w\ufffd\ufffdZI\u000e\ufffd_\ufffd\u0165:$\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "018a9a327baa2b8426c816021067886609e885e1", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
04/06/2026 17:15:27 UTC	TCP	8443	tls	Sonde TLS	Élevée	Faible · 26
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Confiance classification 74% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��k�p�Z�w��ڬ�uZE��\| g?�!�� ѫ�� n ��X[+4��a�� `�q��,/{�l�&�+�/�,�0̨̩� �� /5� w Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.846181667910988, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "TW", "dst_port": 8443, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 26, "tag_count": 3, "anomaly_count": 0, "campaign_key": "765c1719b28b6758c599bb2367ef9ca242181d2c", "event_fingerprint": "d15ebe485b7a9865ce7ae63ec0cbd707e596ada7", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "8b00e342e7d808df201c162063745fa4", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 8443, "service": "tls" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\ufffdp\ufffdZ\ufffdw\ufffd\ufffd\u06ac\ufffdu\fZE\ufffd\ufffd\|\u001c\tg?\ufffd!\ufffd\ufffd\n\u046b\ufffd\ufffd n\n\ufffd\ufffd\u001bX\u000f[+4\ufffd\ufffda\ufffd\ufffd\n`\ufffdq\ufffd\u0006\ufffd\ufffd\ufffd,\/{\ufffd\u0000l\ufffd\u0005\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "event_signature": "f9791ccb019387a69aa06d7eebf39abf89f51022", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }

34.80.164.140

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence