Renseignement sur les menaces

Taïwan

34.80.75.115

FAI Google LLC Première vue 14/06/2026 11:37 UTC Dernière vue 14/06/2026 11:37 UTC Risque Élevé

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte — risque 64/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 75/100 Élevé

Première observation 14/06/2026 11:37 UTC

Dernière observation 14/06/2026 11:37 UTC

Événements (période) 854

MITRE ATT&CK principal TA0007 433 occurrences

Activité suspecte — risque 64/100 (Moyen) — MITRE T1499 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http_flood » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 88 · Bonus corrélation +8 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 34.80.64.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 854 événements sur la période pour cette IP.

35.203.211.29 Scanner web 17/06/2026 23:15 UTC
198.235.24.179 Sonde RDP 17/06/2026 23:15 UTC
198.235.24.235 oracle tns probe 17/06/2026 23:14 UTC
147.185.133.211 Scanner web 17/06/2026 23:13 UTC
162.216.150.167 Sonde port 17/06/2026 23:11 UTC
205.210.31.76 Sonde port 17/06/2026 23:10 UTC
198.235.24.52 Sonde port 17/06/2026 23:08 UTC
162.216.150.57 Scanner web 17/06/2026 23:08 UTC

Événements (filtres)

854

Première observation

14/06/2026 11:37 UTC

Dernière observation

14/06/2026 11:37 UTC

Dernière activité (filtres)

14/06/2026 11:37 UTC

Événements 7j

854

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 427 TLS TCP 427

HTTP

427

TLS

427

Géolocalisation

Origine réseau déclarée

Taïwan unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 8290 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Tentative d'exploit

Chaîne d'attaque

Exploitation

Vecteur d'attaque

http flood · via HTTP:8290 · (tentative d'exploit) · → /sendgrid.yaml

Détails protocole

Méthode: GET
Chemin: /sendgrid.yaml
User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi K20 Pro Build/PKQ1.181121.001; wv) AppleWebKit/537.36 (KHTML, …

Aperçu payload

GET /sendgrid.yaml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi K20 Pro Build/PKQ1.181121.0

Port / service

8290 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1499

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1499 Upstream Waf Score

Confiance

100% Corrélation +8

Famille de menace

ddos

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

854 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

854 événement(s) — page 1/18

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /META-INF/context.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /META-INF/context.xml UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /META-INF/context.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /META-INF/context.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /META-INF/context.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 ( Requête brute (extrait) GET /META-INF/context.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "9492570995cac70fe01d3396d9d816908aee0d2c", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "3986bf7cda9cc4c51e53512817fc8584b30172b0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.478263651560671, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "a739a8b4c34e74f6e6b04e04f5a6657604086d5c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0c40155089cc44ad3bcdc28d03b3568f", "payload_hash": "a1ed40e9a0bfcde50838b22e18376253", "path_pattern_hash": "30f764f600e5073ae934f34b2b98acc2" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/META-INF\/context.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "request_sample": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e043e9f3b6d3337c8af765efc787e69a2874e99", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/META-INF\/context.xml", "request_line": "GET \/META-INF\/context.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/66.0.3359.139 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/META-INF\/context.xml", "evidence_snippet": "GET \/META-INF\/context.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /WEB-INF/classes/application.properties	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /WEB-INF/classes/application.properties UA Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /WEB-INF/classes/application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /WEB-INF/classes/application.properties Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /WEB-INF/classes/application.properties HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US Requête brute (extrait) GET /WEB-INF/classes/application.properties HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon/1.3.14 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "properties", "http_ua_hash": "93c0a2ef61ad2851b9e4d723f606465e2b5838c6", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "10b2e06ee448a350a7e1543add2e5ae160c495e4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 226, "payload_entropy": 5.317923226083201, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "0343f134f54bd077b236707a7434966a7d09509f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e491e27ce92b78290bdfc6a244626440", "payload_hash": "9d0c41848364824027bdec3ee80add32", "path_pattern_hash": "f8e656368886c0ce42a00ebbaba2414b" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US", "method": "GET", "path": "\/WEB-INF\/classes\/application.properties", "user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "request_sample": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US", "evidence": { "method": "GET", "path": "\/WEB-INF\/classes\/application.properties", "user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "request_sample": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0406391631c8ab35b13ac54efd635a5e33dd8fcf", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/classes\/application.properties", "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/classes\/application.properties", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/WEB-INF\/classes\/application.properties", "request_line": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Galeon\/1.3.14", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/WEB-INF\/classes\/application.properties", "evidence_snippet": "GET \/WEB-INF\/classes\/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.idea/dataSources.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/dataSources.xml UA Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/dataSources.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.idea/dataSources.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/dataSources.xml HTTP/1.1` User-Agent Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; T Requête brute (extrait) GET /.idea/dataSources.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "66bf6be33056e8f35755e11f4c4aad2bc4346360", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "d8b4f1d4ad149f189f1e83b2ee85c58600df146c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.357970996928724, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "b20e5eb9d95fa1ee0fb5e22937acb530cb9de1c3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "df0022ea60c8c650bbc2a661d81056b7", "payload_hash": "b634e1f85c87480ef533444d6c8766c7", "path_pattern_hash": "45b1a6f2cf9945ad18514ad77ffdd93e" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; T", "method": "GET", "path": "\/.idea\/dataSources.xml", "user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; T", "evidence": { "method": "GET", "path": "\/.idea\/dataSources.xml", "user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; T", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "23e4b2b432bc597cb6e724fb63fc712349d60c60", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.xml", "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; T", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.xml", "request_line": "GET \/.idea\/dataSources.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident\/6.0; IEMobile\/10.0; ARM; Touch; NOKIA; Lumia 920)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.xml", "evidence_snippet": "GET \/.idea\/dataSources.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; T", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.idea/WebServers.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/WebServers.xml UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/WebServers.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.idea/WebServers.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/WebServers.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /.idea/WebServers.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "d52c1c535db48a672ab0e9b4a5d4073b652b0cbc", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "732626ecbb27c33e1b5cffe507928daff3e1ffcb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 254, "payload_entropy": 5.4548127632757195, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "03181eaa4ed8c782e06de4355f4686a07b373852", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b7057cf3cdde5daa109c0dc53de9d4dd", "payload_hash": "b891e13b63414c978f765f27275e59ba", "path_pattern_hash": "3ef5b863418297cf1b3afb7572309761" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/.idea\/WebServers.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/.idea\/WebServers.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "request_sample": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2b5d8503eed0fe86bf73656e249c5134b3aea6d9", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/WebServers.xml", "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/WebServers.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/WebServers.xml", "request_line": "GET \/.idea\/WebServers.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/WebServers.xml", "evidence_snippet": "GET \/.idea\/WebServers.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.idea/workspace.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/workspace.xml UA Mozilla/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit/537.36 … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/workspace.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.idea/workspace.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/workspace.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit/53 Requête brute (extrait) GET /.idea/workspace.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "ed26700070f0f27f684508a71a75284a6d67645b", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "dcd10abd9e64a56ef60f2096a44fceab68d89da5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.436002260939898, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "ca9b7e843bdfa6bdc5f06782f13e2596e729d2aa", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "aa61063fb8b0e3e40baeeaf7a97694d2", "payload_hash": "87cf5d82d6110a741938ca9dc2cbecaf", "path_pattern_hash": "5704ec26c04e317ce2b2911c876a5465" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/53", "method": "GET", "path": "\/.idea\/workspace.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/.idea\/workspace.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "request_sample": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4788ad82fbe16ad9620963553a4382d48a036fd", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/workspace.xml", "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/workspace.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/workspace.xml", "request_line": "GET \/.idea\/workspace.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/5\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/workspace.xml", "evidence_snippet": "GET \/.idea\/workspace.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; MI PLAY) AppleWebKit\/53", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.vscode/sftp.json	Élevée	Élevé · 68
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/sftp.json UA Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Profil… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /.vscode/sftp.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.vscode/sftp.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 68 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/sftp.json HTTP/1.1` User-Agent Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Pro Requête brute (extrait) GET /.vscode/sftp.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Symbian/3; Series60/5.2 NokiaE7-00/010.016; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.3 3gpp-gba Accept-Charse Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "36b2c5972533af7e5956297807b2c33aa9477160", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "a7b754a65cd3a72c45519ffad56ec4883c279ab1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 310, "payload_entropy": 5.46107146532601, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 68, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2642df8dc8a37bfa5a422a38a8fe0c8517056f61", "event_fingerprint": "bca01c821bbe9d99b0a7a1745e4cc574b1eae73d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "547390dc24dabcde99bb415ff353ef57", "payload_hash": "acdb494016c7847e3dfd67c6cdf47b77", "path_pattern_hash": "4379ee7559d68deac5f1bf414dd60187" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 68 }, "payload_preview": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Pro", "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\r\nAccept-Charse", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Pro", "evidence": { "method": "GET", "path": "\/.vscode\/sftp.json", "user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "request_sample": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 BrowserNG\/7.2.7.3 3gpp-gba\r\nAccept-Charse", "payload_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Pro", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c615e426f3f52eb514011f6ac77b78c8bccf7748", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Pro", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 68\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 68, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 68, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/sftp.json", "request_line": "GET \/.vscode\/sftp.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Profile\/MIDP-2.1 Configuration\/CLDC-1.1 ) AppleWebKit\/525 (KHT\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/sftp.json", "evidence_snippet": "GET \/.vscode\/sftp.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Symbian\/3; Series60\/5.2 NokiaE7-00\/010.016; Pro", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.idea/dataSources.local.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/dataSources.local.xml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/dataSources.local.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.idea/dataSources.local.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/dataSources.local.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) Ap Requête brute (extrait) GET /.idea/dataSources.local.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "d26e1d61c03aaf3f5f656da37f62db95c9abb313", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "69f35c14ff491b04a05fe95ac539edbead309c12", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.4138709808596905, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "ff37c7e25a6372c7e622edaef171e99b5ee4235d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f405ad96fd078e94edcb0df4d7b7acb8", "payload_hash": "66b4ef5dda6025851931e2e4ca82479d", "path_pattern_hash": "921ea8e3058ced1425d3fb1a6683e728" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Ap", "method": "GET", "path": "\/.idea\/dataSources.local.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Ap", "evidence": { "method": "GET", "path": "\/.idea\/dataSources.local.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "request_sample": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection", "payload_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Ap", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4fcaffce6277d9f7ef11e9294ba5a8d2175f160f", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.local.xml", "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Ap", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.local.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/dataSources.local.xml", "request_line": "GET \/.idea\/dataSources.local.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.90 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/dataSources.local.xml", "evidence_snippet": "GET \/.idea\/dataSources.local.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_3) Ap", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.vscode/settings.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/settings.json UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/settings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.vscode/settings.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/settings.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.vscode/settings.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "da883dc035fbe3db4c3e79ba1a23e40066413696", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "8f13238caccb97889bb93a57a58c8206b67c85b5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.43247226566109, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1078d19e5ccb3c8065d01612d18cbe772e770b04", "event_fingerprint": "9694cd30778db605cdea477fea77eff7288c5ecf", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "acb535a8c3b43facd84a596185618592", "payload_hash": "aa180e97581030436c2e0185615cad1f", "path_pattern_hash": "f5f67949e6b52d5014abefc02d1fe9f6" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.vscode\/settings.json", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "request_sample": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "07f05f17e26b9d1634676a9269ad7676a43aeec6", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/settings.json", "request_line": "GET \/.vscode\/settings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/63.0.3239.132 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/settings.json", "evidence_snippet": "GET \/.vscode\/settings.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.github/workflows/ci.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/ci.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.github/workflows/ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/ci.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3872.0 Safari/537.36 Edg/78.0.244.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) Apple Requête brute (extrait) GET /.github/workflows/ci.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3872.0 Safari/537.36 Edg/78.0.244.0 Accept-Charset: utf-8 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "0fbe053a07a324f5130bdcd7b1d5a98e1dac3c93", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "3ec364769fb4698cfcca7031daf28214f8708060", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.480569461746722, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d980bb107db6526e1b17fbd3214e1a12a0709c6f", "event_fingerprint": "cb68094b3e8900fa07f720030b5bf1860111dc38", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cd3df6cecfd1ad01ce65fd62291ae84f", "payload_hash": "ba465fd3d42d55b50446f8d35bfa1a38", "path_pattern_hash": "0bac82c8c4461b7e2eb48cd6eaefa7e9" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) Apple", "method": "GET", "path": "\/.github\/workflows\/ci.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) Apple", "evidence": { "method": "GET", "path": "\/.github\/workflows\/ci.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) Apple", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "466f9805fcd26df2b2efe0b5ca6b6c368f17dcab", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/ci.yml", "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) Apple", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/ci.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/ci.yml", "request_line": "GET \/.github\/workflows\/ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/ci.yml", "evidence_snippet": "GET \/.github\/workflows\/ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) Apple", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /Jenkinsfile	Élevée	Élevé · 66
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /Jenkinsfile UA Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; P… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 http_sensitive_path Cible HTTP GET /Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Prof Requête brute (extrait) GET /Jenkinsfile HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/10.0.012; Profile/MIDP-2.1 Configuration/CLDC-1.1; en-us) AppleWebKit/525 (KHTML, like Gecko) WicKed/7.1.12344 Accept-Charset: utf-8 Accept- Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "afd025b06b40b784279794656acbfbcaecfe5b00", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "6196821c9b59b6ceb2d7ccd4d35e939ea59e7ed4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 293, "payload_entropy": 5.478495548015495, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 92, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "282dcb2e7c7a2730e737e583c67ba50e119dbe97", "event_fingerprint": "1efd2b6f60f77436506e97b094913cb21448afc1", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "48b77ab855ab2862ab797d6da303d70b", "payload_hash": "9fa7aa8a666dc44168b1d61fcc613dd4", "path_pattern_hash": "0d4eaf992f1a72b02518b7d952191a55" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof", "method": "GET", "path": "\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\r\nAccept-Charset: utf-8\r\nAccept-", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof", "evidence": { "method": "GET", "path": "\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebKit\/525 (KHTML, like Gecko) WicKed\/7.1.12344\r\nAccept-Charset: utf-8\r\nAccept-", "payload_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "332d094a6711b88a7807b73f5b16755b2e0186e7", "protocol_details": { "http_method": "GET", "http_path": "\/Jenkinsfile", "request_line": "GET \/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebK\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/Jenkinsfile", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 66, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/Jenkinsfile", "request_line": "GET \/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Profile\/MIDP-2.1 Configuration\/CLDC-1.1; en-us) AppleWebK\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/Jenkinsfile", "evidence_snippet": "GET \/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; Series60\/5.0 NokiaN97-1\/10.0.012; Prof", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.idea/deployment.xml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.idea/deployment.xml UA Mozilla/5.0 (Linux; Android 9; VKY-L29) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.idea/deployment.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.idea/deployment.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.idea/ Ligne de requête `GET /.idea/deployment.xml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; VKY-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; VKY-L29) AppleWebKit/537.3 Requête brute (extrait) GET /.idea/deployment.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; VKY-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "699e49c8df61dd0687a40050ac82fc5ffcf57d20", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "ff773c35f260c28fb8b1bfb4252a50f6e0022b05", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.445311246162482, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "014fe8a54bc5d71c7a442635f41c7186acfbcb7d", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0226" ], "matched_pattern_names": [ "Probe \/.idea\/" ], "pattern_ids": [ "pat-0226" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e2278f91a3c96eab0400d64e09a11ab0", "payload_hash": "b6dd0ac4330aec7a06a19847998b05b2", "path_pattern_hash": "36b6d965d63f408f7c773a687ac24612" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.3", "method": "GET", "path": "\/.idea\/deployment.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.idea\/deployment.xml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "request_sample": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close", "payload_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f162ca1f955359e2abfddcb57e7f1a1d846a75f3", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/deployment.xml", "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/deployment.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.idea\/deployment.xml", "request_line": "GET \/.idea\/deployment.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.idea\/deployment.xml", "evidence_snippet": "GET \/.idea\/deployment.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VKY-L29) AppleWebKit\/537.3", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.circleci/config.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.circleci/config.yml UA Opera/7.51 (Windows NT 5.1; U) [en] Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 net_flood Cible HTTP GET /.circleci/config.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.circleci/config.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.circleci/config.yml HTTP/1.1` User-Agent Opera/7.51 (Windows NT 5.1; U) [en] Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/7.51 (Windows NT 5.1; U) [en] Accept-Charset: utf- Requête brute (extrait) GET /.circleci/config.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/7.51 (Windows NT 5.1; U) [en] Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "15d076f5d5012f5c648eda87ddf67503dd356260", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "42ed80c065555149f59c15145f7ae964b6a99b5e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 175, "payload_entropy": 5.238535160204025, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8c7b58f30b29d312ca31d39eae82a24cb2e825fc", "event_fingerprint": "79cde28b340ed916df77861d8dd5a6a24516f5a1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7f2162663102c514973e470d9fe75d23", "payload_hash": "69fde897af0f5b74bfcf33f0b69ac0b0", "path_pattern_hash": "b893b0eec412648d41158b9ec6bd21e4" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-", "method": "GET", "path": "\/.circleci\/config.yml", "user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-", "evidence": { "method": "GET", "path": "\/.circleci\/config.yml", "user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "waf_tags": [ "950326:rce-0", "950468:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "request_sample": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1d9edd19502e0e14aef0c95cd0c1746eee178c0f", "protocol_details": { "http_method": "GET", "http_path": "\/.circleci\/config.yml", "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "http_user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.circleci\/config.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.circleci\/config.yml", "request_line": "GET \/.circleci\/config.yml HTTP\/1.1", "http_user_agent": "Opera\/7.51 (Windows NT 5.1; U) [en]", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.circleci\/config.yml", "evidence_snippet": "GET \/.circleci\/config.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/7.51 (Windows NT 5.1; U) [en]\r\nAccept-Charset: utf-", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.travis.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.travis.yml UA Mozilla/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.travis.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.travis.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.travis.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.travis.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "1d296199b45e0354a5d3366150f2fd57fcdfe1fe", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "0f539eb712332002814a106c4304479b90529490", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.4557271528273485, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8b3af6d06986393c8d97f411f5f3da2b05ea539d", "event_fingerprint": "ff943d8361e7e49f067ed21ccc2abd24886a8eaa", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9e60af08db595be6731fd1e551d07201", "payload_hash": "51966f2a6872b6f595f3721325365595", "path_pattern_hash": "31215e4931d9a8bb956098a35abb0b27" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.travis.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.travis.yml HTTP\/1.1", "request_sample": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9eb0315093e8cff2fd9b98dd72b8f175ad1e24bd", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.travis.yml", "request_line": "GET \/.travis.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.travis.yml", "evidence_snippet": "GET \/.travis.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; LGMS428) AppleWebKit\/537.36 (KHTM", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.github/workflows/main.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/main.yml UA Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/2012… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/main.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.github/workflows/main.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/main.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16 Requête brute (extrait) GET /.github/workflows/main.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Gecko Firefox/11.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "86b9f9c31a43f4a5468b8c97fa626c3b4940f1ea", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "235caf8bc184fcd8b7671c244cc53e88d83bf97b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.382676495227115, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d980bb107db6526e1b17fbd3214e1a12a0709c6f", "event_fingerprint": "004dd768e9cca68b98d065254d6f0d3076239843", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4c8ae1851f8d56d6e0ad6b37f9a65183", "payload_hash": "35d75ab6d7c4e92869fe8bcedc994f2e", "path_pattern_hash": "e05ba7286924149fefd56c25594fa0c5" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16", "method": "GET", "path": "\/.github\/workflows\/main.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16", "evidence": { "method": "GET", "path": "\/.github\/workflows\/main.yml", "user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ca5e3be18c386c591b53feeddd237315525b1823", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/main.yml", "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/main.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/main.yml", "request_line": "GET \/.github\/workflows\/main.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko\/20120421 Gecko Firefox\/11.0", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/main.yml", "evidence_snippet": "GET \/.github\/workflows\/main.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.vscode/tasks.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/tasks.json UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/tasks.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.vscode/tasks.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/tasks.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3739.400 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /.vscode/tasks.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3739.400 Accept-Charset: utf-8 Accept-Enc Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "d3186112ff4871be51d5d4d848cdbdff5c2acfde", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "92e911a3df5ad35698662851e6649fca8b9cc765", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 290, "payload_entropy": 5.42861426657014, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "8a9b8affc76109f39e7a08ae4a026dc719e83825", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3db18e6622666e10d6e284295d9ee94e", "payload_hash": "db9eb00906eaacdee1a37166d685c15a", "path_pattern_hash": "71d0e06039e234c8f571eb83415e4643" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/.vscode\/tasks.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/.vscode\/tasks.json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "request_sample": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3722.400 QQBrowser\/10.5.3739.400\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbfd81b5d443a9b1965a9d3cc53f61de97b1c135", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/tasks.json", "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/tasks.json", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/tasks.json", "request_line": "GET \/.vscode\/tasks.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/tasks.json", "evidence_snippet": "GET \/.vscode\/tasks.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KH", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.gitlab-ci.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.gitlab-ci.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitlab-ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.gitlab-ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitlab-ci.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605 Requête brute (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "91ece6334beb879a824a06c33b4cb4240e4c6f56", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "438af05b92495206533fc223d46e511d40c32485", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.369197210397753, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "232800d2baed7962636d5b627652e583db8cdd05", "event_fingerprint": "9dffd189994567f67e04e9661fa9131d3fd55dbf", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "27a2558c36538127dcb1af9bbb95af64", "payload_hash": "d774d0de182ef9a1edcf845fe68ac748", "path_pattern_hash": "1c248e6546ed96558dfcda198b4e61ef" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605", "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605", "evidence": { "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb455c79ebed53ed87383b10993ab0ae1d84bdd6", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.0.2 Safari\/605.1.15", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.vscode/launch.json	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.vscode/launch.json UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.vscode/launch.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.vscode/launch.json Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.vscode/ Ligne de requête `GET /.vscode/launch.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /.vscode/launch.json HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "json", "http_ua_hash": "d132bdde37af872e8ac493c8cc22b5595d4ef1ac", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "f955acacb64b027ce0fe999c2601f7358bc4da5a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.446899002533528, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "a76a7f1bb22d7980559276c2e880db0f90d4fb38", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0227" ], "matched_pattern_names": [ "Probe \/.vscode\/" ], "pattern_ids": [ "pat-0227" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "57819b3b23420452ac601ea97c8e21ea", "payload_hash": "707acfbe0dc970ad67879fe27bd87ab0", "path_pattern_hash": "2ff6c8576629cb803256f3fb9cd546fa" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/.vscode\/launch.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.vscode\/launch.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "request_sample": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0f34fd5dd9f728b32cb62230e60df244ea8f8e40", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/launch.json", "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/launch.json", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.vscode\/launch.json", "request_line": "GET \/.vscode\/launch.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.vscode\/launch.json", "evidence_snippet": "GET \/.vscode\/launch.json HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /jenkins/Jenkinsfile	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /jenkins/Jenkinsfile UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML like … Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_jenkins Cible HTTP GET /jenkins/Jenkinsfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /jenkins/Jenkinsfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /jenkins/Jenkinsfile HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/36.0.1985.125 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /jenkins/Jenkinsfile HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "94a27920fca0c05ac57381b71c400e1f0d5a54e0", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "171840fe47dfd6f2d76e0b80f11136ea038cbc5d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.433753586455791, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a9185acc2cc5c1a5beb84eb3ed881a5836455949", "event_fingerprint": "83bed436dcc4f343fcccd29d386d78786285aa69", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b43ec190aca002195975899db8f44a45", "payload_hash": "c3ae72046dc05037a2a131494f04e251", "path_pattern_hash": "40125f4f361452a7111c9b4a9dc1dfb2" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML ", "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/jenkins\/Jenkinsfile", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "request_sample": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.125 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8e2a970df22df4f42e0045a729ea9f731020a9d7", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/jenkins\/Jenkinsfile", "request_line": "GET \/jenkins\/Jenkinsfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.125 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/jenkins\/Jenkinsfile", "evidence_snippet": "GET \/jenkins\/Jenkinsfile HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_jenkins", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.github/workflows/deploy.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/deploy.yml UA Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Bui… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/deploy.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.github/workflows/deploy.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/deploy.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Enc Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "8646a79deb7f829cab47c5b898707f11746b7e9b", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "9a980960a1dce8601282270803934f12c1e6c3d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 290, "payload_entropy": 5.468349121448802, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d980bb107db6526e1b17fbd3214e1a12a0709c6f", "event_fingerprint": "3a5410186756e220f09d36854c876e93ca305687", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "22e8c0d74d4abdc760d3e5d5b357d472", "payload_hash": "e3592198d850dadb2f057f8c536e57c0", "path_pattern_hash": "76cfbca880390f07dc02774a92e03828" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint", "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint", "evidence": { "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Enc", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3aa556950ef1f06dc4bb15ed66a36038cb0557e0", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/FRF91) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /debug.log	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /debug.log UA BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /debug.log HTTP/1.1` User-Agent BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/5.0.3.3 UP.Link/5.1.2.12 (Google WAP Proxy/1.0) Règles WAF nosqli-3 Payload (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Brow Requête brute (extrait) GET /debug.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: BlackBerry7520/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/5.0.3.3 UP.Link/5.1.2.12 (Google WAP Proxy/1.0) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "1d6116b971cccd9c8a7525e49df0342331cefa8e", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "77d9f648329aebdef206c4b1d63546db6147ce3b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 248, "payload_entropy": 5.330379610961435, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 32, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9ae8442b1a1c6aed2ce806c81f4908400ddd1dce", "event_fingerprint": "07932882174c1d426b713410183c0fbb40ff10da", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c418f3abffb1f2b47ac3c0103fca4c46", "payload_hash": "cdbb031efc51f249a8ba7b29ebd86c7a", "path_pattern_hash": "55839acef8bcadd99e7e1a1cdf75a15f" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Brow", "method": "GET", "path": "\/debug.log", "user_agent": "BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Browser\/5.0.3.3 UP.Link\/5.1.2.12 (Google WAP Proxy\/1.0)", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Browser\/5.0.3.3 UP.Link\/5.1.2.12 (Google WAP Proxy\/1.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Brow", "evidence": { "method": "GET", "path": "\/debug.log", "user_agent": "BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Browser\/5.0.3.3 UP.Link\/5.1.2.12 (Google WAP Proxy\/1.0)", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/debug.log HTTP\/1.1", "request_sample": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Browser\/5.0.3.3 UP.Link\/5.1.2.12 (Google WAP Proxy\/1.0)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Brow", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93f5a0ec7be9dddfb3b1dfbeac49a941365108f0", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Browser\/5.0.3.3 UP.Link\/5.1.2.12 (Google WAP Proxy\/1.0)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Brow", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/debug.log", "request_line": "GET \/debug.log HTTP\/1.1", "http_user_agent": "BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Browser\/5.0.3.3 UP.Link\/5.1.2.12 (Google WAP Proxy\/1.0)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/debug.log", "evidence_snippet": "GET \/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: BlackBerry7520\/4.0.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1 UP.Brow", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /bitbucket-pipelines.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bitbucket-pipelines.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHTML, like … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /bitbucket-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /bitbucket-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bitbucket-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHTML, like Gecko) Version/11.0 Safari/604.1 Ubuntu/17.04 (3.24.1-0ubuntu1) Epiphany/3.24.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHT Requête brute (extrait) GET /bitbucket-pipelines.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/604.1 (KHTML, like Gecko) Version/11.0 Safari/604.1 Ubuntu/17.04 (3.24.1-0ubuntu1) Epiphany/3.24.1 Accept-Charset: utf-8 Accept-Encoding Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "e3835201e8c804d1a1346eb5f25c572f4fb53f80", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "e18939aa25137b140957dface586fa6d87f55246", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 285, "payload_entropy": 5.419532864211655, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8b3af6d06986393c8d97f411f5f3da2b05ea539d", "event_fingerprint": "c3fca921694d6879bbe2fd4ac44c69c1f21d2e32", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7f9bd9ad44c8b60174eada85397e632c", "payload_hash": "fd6d9d5c1946aea839ca025dec62fffe", "path_pattern_hash": "7196cda3d0ac0fc416539ef0a94d0999" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHT", "method": "GET", "path": "\/bitbucket-pipelines.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0ubuntu1) Epiphany\/3.24.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0ubuntu1) Epiphany\/3.24.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHT", "evidence": { "method": "GET", "path": "\/bitbucket-pipelines.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0ubuntu1) Epiphany\/3.24.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "request_sample": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0ubuntu1) Epiphany\/3.24.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding", "payload_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHT", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7de9ebfd0a98c48b8fcdfc638a661825e9071fe", "protocol_details": { "http_method": "GET", "http_path": "\/bitbucket-pipelines.yml", "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0u\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHT", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bitbucket-pipelines.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bitbucket-pipelines.yml", "request_line": "GET \/bitbucket-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHTML, like Gecko) Version\/11.0 Safari\/604.1 Ubuntu\/17.04 (3.24.1-0u\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bitbucket-pipelines.yml", "evidence_snippet": "GET \/bitbucket-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/604.1 (KHT", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.github/workflows/production.yml	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/production.yml UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/production.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.github/workflows/production.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/production.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3704.400 QQBrowser/10.4.3587.400 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWeb Requête brute (extrait) GET /.github/workflows/production.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3704.400 QQBrowser/10.4.3587.400 Accept-Charset: utf Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "b3a73502ae08945ef77d64d44f4755266af5ebb4", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "38eaa565ff94c56233c59ea6d104fdaddcc93cea", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 304, "payload_entropy": 5.450885855010554, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "d980bb107db6526e1b17fbd3214e1a12a0709c6f", "event_fingerprint": "496c8a87750c21e5e60dd4c32080ba13621a4372", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "33a597eb6149c7d737a3d0bb37549fae", "payload_hash": "07b1d4135a6392bf27c90b94629d893b", "path_pattern_hash": "9eba29b7a547d56eaba268ebadba8373" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "method": "GET", "path": "\/.github\/workflows\/production.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400\r\nAccept-Charset: utf", "payload_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "evidence": { "method": "GET", "path": "\/.github\/workflows\/production.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70.3704.400 QQBrowser\/10.4.3587.400\r\nAccept-Charset: utf", "payload_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b4e138617cb6bf8b127698b4327eb25a015bff6", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/production.yml", "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/production.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/production.yml", "request_line": "GET \/.github\/workflows\/production.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.25 Safari\/537.36 Core\/1.70\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/production.yml", "evidence_snippet": "GET \/.github\/workflows\/production.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWeb", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.buildkite/pipeline.yml	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.buildkite/pipeline.yml UA Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_flood Cible HTTP GET /.buildkite/pipeline.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.buildkite/pipeline.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.buildkite/pipeline.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/53 Requête brute (extrait) GET /.buildkite/pipeline.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; moto x4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "yml", "http_ua_hash": "d6429cd4a02ff4890fb743fbec29630514a264bd", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "4bafbac6a6a3a3e498ce6febcc708140823e7542", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 263, "payload_entropy": 5.3903534460028855, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 62, "tag_count": 4, "anomaly_count": 0, "campaign_key": "14ebdc3dfd340342eb5b91d3956d5fd7d81af1f8", "event_fingerprint": "472bde880e33dbbffa5103efa719d26b5718a9de", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8f9597a1b336d4dbfe96aa1cfc860d55", "payload_hash": "0569e6e6b7e0056a1ba8e964104228ee", "path_pattern_hash": "483e00e02486581ed9691d00f40bae15" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/53", "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/.buildkite\/pipeline.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "request_sample": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl", "payload_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "15608477e03ad82feee4de4d9b56ba49477fa60c", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.buildkite\/pipeline.yml", "request_line": "GET \/.buildkite\/pipeline.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.143 Mobile Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.buildkite\/pipeline.yml", "evidence_snippet": "GET \/.buildkite\/pipeline.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto x4) AppleWebKit\/53", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /azure-pipelines.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /azure-pipelines.yml UA Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /azure-pipelines.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /azure-pipelines.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /azure-pipelines.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK Requête brute (extrait) GET /azure-pipelines.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "042aea374dea8d91a602a0e615549b479ed19ff2", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "8bacf7ba189e1d49695131e01ec30c1752198ab0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 268, "payload_entropy": 5.3918362185900275, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8b3af6d06986393c8d97f411f5f3da2b05ea539d", "event_fingerprint": "daf863e2f58458bd4ffbf4fb485064bb704d51e2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "00d61033796631745a230211c2789e70", "payload_hash": "cd79ee0bc2bdbf3dc9e393877a638646", "path_pattern_hash": "d76578f2ff8c409283f48927713c6e3e" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK", "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK", "evidence": { "method": "GET", "path": "\/azure-pipelines.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "request_sample": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "696791c67f3382d7dda450772c8552f0cb0c1899", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/azure-pipelines.yml", "request_line": "GET \/azure-pipelines.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/azure-pipelines.yml", "evidence_snippet": "GET \/azure-pipelines.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; HTC U11 plus) AppleWebK", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.drone.yaml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.drone.yaml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.drone.yaml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.drone.yaml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.drone.yaml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /.drone.yaml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yaml", "http_ua_hash": "b0364640299db33f8404b11696d99381bae30e58", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "2dde7c7ac3e6a210a636b7b4438f90ddd70a6f86", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.441179736169049, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1b70a2e093ebbd3ad46ed66bfb99d698e25a41c1", "event_fingerprint": "a146028145973164252aaec907f12e90f34fcc34", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7236346f5c04ebdd8f79152ee3fb55b6", "payload_hash": "d12160bb575272e810192ed7a3bed6d8", "path_pattern_hash": "375bdd2accbc560de2cef140cdb7ad08" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/.drone.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yaml HTTP\/1.1", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/.drone.yaml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yaml HTTP\/1.1", "request_sample": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection:", "payload_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d0ce5a5fa58052b94132a3615656fc507b39467e", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yaml", "request_line": "GET \/.drone.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edg\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yaml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yaml", "request_line": "GET \/.drone.yaml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edg\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yaml", "evidence_snippet": "GET \/.drone.yaml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.drone.yml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.drone.yml UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.3… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /.drone.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.drone.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.drone.yml HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (K Requête brute (extrait) GET /.drone.yml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "db8d17a8037deeb666ae7780dd22b987a1507927", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "1954ac9283af903ae4a6de319bd93df245fb035e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.458122400620212, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1b70a2e093ebbd3ad46ed66bfb99d698e25a41c1", "event_fingerprint": "1cfc4d43682805546f1e44553709e2a3eb30498e", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "55e79b0731b665179b078f6c2ca76344", "payload_hash": "4a8fb6ea74f59fe5496c51629ffca41e", "path_pattern_hash": "f74d63edd884e7a9299ad52f54b46b61" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/.drone.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yml HTTP\/1.1", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/.drone.yml", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.drone.yml HTTP\/1.1", "request_sample": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2806b5da038121c200b5798ca7d338bc95f33d98", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yml", "request_line": "GET \/.drone.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (K", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.drone.yml", "request_line": "GET \/.drone.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.drone.yml", "evidence_snippet": "GET \/.drone.yml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A6010) AppleWebKit\/537.36 (K", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /trace.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /trace.log UA Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /trace.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /trace.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /trace.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /trace.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "84a2ccf708829a47f2bf451d0f5e06ee49ecbf88", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "0306f640cbfe7832e364cfa8aaa4495e8ef14f08", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 242, "payload_entropy": 5.441221940961252, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b08939a1ca03b31b02ccff2d7b984fa141969a2", "event_fingerprint": "a41376578099058e6a89ba87e75ebfa0f1fb0831", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5d610c3fddba74f744913916d1163e9c", "payload_hash": "7c786568680f7e3ad2773721bd36d937", "path_pattern_hash": "f8d80e9ce78cc8d6e0404ba95f5bd5a6" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/trace.log", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/trace.log", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/trace.log HTTP\/1.1", "request_sample": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f23f03a383a35da6f7c3a40655bdc254b5ca19b5", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/trace.log", "request_line": "GET \/trace.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/trace.log", "evidence_snippet": "GET \/trace.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /application.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /application.log UA Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /application.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /application.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /application.log HTTP/1.1` User-Agent Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Prest Requête brute (extrait) GET /application.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto/2.12.388 Version/12.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "01d5fbf93a54fabb8ab22591bb3459434f9dab9f", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "194ffa296bf5bf546445bc77a4914a3c16983759", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 221, "payload_entropy": 5.268845092035774, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b08939a1ca03b31b02ccff2d7b984fa141969a2", "event_fingerprint": "9129c4a86de9c04896f3f9c795373ea46c9cfbc6", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "92fb9085c955383e740262552eee1da9", "payload_hash": "f553debf4030a1dc206fbea929ca5331", "path_pattern_hash": "162fef3d3c20397fd9e19a55bcddfa03" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Prest", "method": "GET", "path": "\/application.log", "user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.log HTTP\/1.1", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Prest", "evidence": { "method": "GET", "path": "\/application.log", "user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.log HTTP\/1.1", "request_sample": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Prest", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c93781c45c5126499af7d62075c45f68554ccd5c", "protocol_details": { "http_method": "GET", "http_path": "\/application.log", "request_line": "GET \/application.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Prest", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application.log", "request_line": "GET \/application.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Presto\/2.12.388 Version\/12.10", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.log", "evidence_snippet": "GET \/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (X11; FreeBSD 8.1-RELEASE i386; Edition Next) Prest", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /log/error.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /log/error.log UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_log Cible HTTP GET /log/error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /log/error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /log/error.log HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.83 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /log/error.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH Requête brute (extrait) GET /log/error.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.83 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "26696a0bbeb72767bb844c47dfe27efa6171d5e7", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "fc50733d76409093f90f46513edc67564b2421cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.411759545355935, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2f8dd3cdd7b1fc29538a2e612b6d5d464a184cd1", "event_fingerprint": "d310ca8329ff9232aa673c5f1ead15bb1e3ca8f2", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "209c2a4e859a89aba39b77c3a3815fb7", "payload_hash": "811079459fa1b8958d55dc07bc717da7", "path_pattern_hash": "a4d176701e2b21dd6deff557491aab03" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/log\/error.log", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.83", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/error.log HTTP\/1.1", "request_sample": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.83\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/log\/error.log", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.83", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/error.log HTTP\/1.1", "request_sample": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.83\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: ", "payload_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37ade82ee99966e4462abd62b04eff41268b9647", "protocol_details": { "http_method": "GET", "http_path": "\/log\/error.log", "request_line": "GET \/log\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/error.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/log\/error.log", "request_line": "GET \/log\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/error.log", "evidence_snippet": "GET \/log\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KH", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_log", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /error.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /error.log UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /error.log HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /error.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "746c97dbb13d6984570db47d357e3dba2d4e421c", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "4bf2a42fc3c47a9cd3c9f83a2dcc96b460ea695c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.417756813605647, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b08939a1ca03b31b02ccff2d7b984fa141969a2", "event_fingerprint": "d498f8252753db672201abdf97b3299dea16d956", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f2568922252b755c279e512ec2341397", "payload_hash": "9846d8c8673ae9e38f64251b648b427e", "path_pattern_hash": "377fe372f5c11075aea15748100afc0d" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/error.log", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/error.log HTTP\/1.1", "request_sample": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62bd476af42b24bf92119b175d544e3252d65642", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/error.log", "request_line": "GET \/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/error.log", "evidence_snippet": "GET \/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /app.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /app.log UA Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWeb… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /app.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/533.2+ Kindle/3.0+ Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit/531 Requête brute (extrait) GET /app.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/533.2+ Kindle/3.0+ Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "5c9cdca11b6bd63efe5ce8ca727e8f5035d2c6cb", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "bd1d5b79d00a082701f913befabe9ce3bb41a839", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.392013072433473, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b08939a1ca03b31b02ccff2d7b984fa141969a2", "event_fingerprint": "8f13fae383d0484702a66f7032321b616b29d05b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "57047d9ca1d9780671795d8ba1919d37", "payload_hash": "24e927a27cf3d2162d952751a412d7e3", "path_pattern_hash": "705676047b0602f87a6c259c895bc0e9" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531", "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531", "evidence": { "method": "GET", "path": "\/app.log", "user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app.log HTTP\/1.1", "request_sample": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+ Kindle\/3.0+\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "00baaf7a4fa5c3cb045f5a7eec8cc7c14afd719e", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/app.log", "request_line": "GET \/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531.2+ (KHTML, like Gecko) Version\/5.0 Safari\/533.2+\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/app.log", "evidence_snippet": "GET \/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux armv7l like Android; en-us) AppleWebKit\/531", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /laravel.log	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /laravel.log UA Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) Émulateur HTTP WAF 7 Recommandation Investiguer Tags 950326:rce-0 http_sensitive_path net_flood Cible HTTP GET /laravel.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /laravel.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /laravel.log HTTP/1.1` User-Agent Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) Règles WAF rce-0 Payload (extrait) GET /laravel.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) Accept-Charset: utf-8 Requête brute (extrait) GET /laravel.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/4.8 [en] (X11; U; SunOS; 5.7 sun4u) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "53ef54d76f30eef1516d89df56f88387e6379041", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "5dd8c8bb33603d1ad2c91357a5bdf5e4a77e2fda", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.306497728098072, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 36, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b3dfa551b28a633cbce6fd7766ec43f89758d258", "event_fingerprint": "559fa79089dc70c2c1f7a99a50167abdde0775b3", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4a7b0650ea5c045432d9872e6e4ca6ac", "payload_hash": "f3ec4f50f0df92ae2103e0929249d5ef", "path_pattern_hash": "e42ca631e5a6c090d1fddca82a4d1723" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8", "method": "GET", "path": "\/laravel.log", "user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/laravel.log HTTP\/1.1", "request_sample": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8", "evidence": { "method": "GET", "path": "\/laravel.log", "user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)", "waf_tags": [ "950326:rce-0" ], "waf_rule_names": [ "rce-0" ], "request_line": "GET \/laravel.log HTTP\/1.1", "request_sample": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a48c5b048b66f3d487bd25cd4bc0358b0a57f034", "protocol_details": { "http_method": "GET", "http_path": "\/laravel.log", "request_line": "GET \/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 36, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/laravel.log", "request_line": "GET \/laravel.log HTTP\/1.1", "http_user_agent": "Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/laravel.log", "evidence_snippet": "GET \/laravel.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/4.8 [en] (X11; U; SunOS; 5.7 sun4u)\r\nAccept-Charset: utf-8", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /logs/app.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/app.log UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/app.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /logs/app.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /logs/app.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/2010 Requête brute (extrait) GET /logs/app.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "811a3b91bb40374fbc4d8ea91a8988128723fdc2", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "d0b8b644029ba159087a417f2e8eafdc14fc0ddb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.249882671533158, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c2604da3999d3b5fc31ace8a8921309a30417714", "event_fingerprint": "7c79ae9f7f6d100ec7b22a22d82995f62f822c28", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "75429bbe013e57ff9dc4da0881c45385", "payload_hash": "7215ee3469d0ed4a61871cebda2a394f", "path_pattern_hash": "1ee40b92eb3b65f75911cb662d7e1127" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/2010", "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/2010", "evidence": { "method": "GET", "path": "\/logs\/app.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/app.log HTTP\/1.1", "request_sample": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/2010", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c5c9cff017cb334b60240b17fd5a9061a00d6be5", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/2010", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/app.log", "request_line": "GET \/logs\/app.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/app.log", "evidence_snippet": "GET \/logs\/app.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko\/2010", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /logs/debug.log	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/debug.log UA Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /logs/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /logs/debug.log HTTP/1.1` User-Agent Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 Requête brute (extrait) GET /logs/debug.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "ba835fc5c01c7d30fabce40580a56680fc183768", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "03e204e4d1092f0f3982669317d2eb101a33266b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 196, "payload_entropy": 5.1996500911073325, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "ae5c34424d5fdc1db18302caf0ec95afeb49b50d", "event_fingerprint": "8049f85f041e4500adfb7ca1a99ea5f8a874a147", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "555c46fb01dfe6e879c2dd4ba0d7f979", "payload_hash": "a62a895e09e3f9d9d0f6da1e4ab8b97c", "path_pattern_hash": "2521db54cde5bdc17cc591777e55b15e" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10\r", "method": "GET", "path": "\/logs\/debug.log", "user_agent": "Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/debug.log HTTP\/1.1", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "evidence": { "method": "GET", "path": "\/logs\/debug.log", "user_agent": "Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/debug.log HTTP\/1.1", "request_sample": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4bb4bb1dc55d6e46790c9737860b4d7b57eab13", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/debug.log", "request_line": "GET \/logs\/debug.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/debug.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/debug.log", "request_line": "GET \/logs\/debug.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/debug.log", "evidence_snippet": "GET \/logs\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Windows NT 5.2; U; en) Presto\/2.2.15 Version\/10.10", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8290 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web.config UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.174 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "4e6c05989d2ca84ac2660b4faca5a241d97ecc17", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 257, "payload_entropy": 5.464213948136404, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5a65f81a3dcaa1d051d989fea19ea36f0ecce5c9", "event_fingerprint": "4671aa534f276024e53ebc23bec992e92c8fb051", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2387428a1cf084142d93ceb87d13a00a", "payload_hash": "34389761d115577193d351bd551d7d53", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.1889.174\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d43ab3c2a8ef144765ee023079eb724a6539fd0d", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/44.0.2403.155 Safari\/537.36 OPR\/31.0.\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /server.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.log UA Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/53… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /server.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /server.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/537.36 Requête brute (extrait) GET /server.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "5ccb0d5824053787b686ecc18c97ac956d40403a", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "437770240dcc724c5033b3c158c576b84dde4de1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.400805542267869, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b08939a1ca03b31b02ccff2d7b984fa141969a2", "event_fingerprint": "31660bdecbed9920db2c10936a896f947efeb7a8", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "961c4e7c251abb2b676ae5377ee6089c", "payload_hash": "dd5755c10da754522ad077499c3dc404", "path_pattern_hash": "1bb66c038c973622f0056a763496f9ef" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36", "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/server.log", "user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.log HTTP\/1.1", "request_sample": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r", "payload_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ae5242a10d03f218498ae58c2ee8e1e762a1e50", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.log", "request_line": "GET \/server.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.log", "evidence_snippet": "GET \/server.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; Lenovo P1a42) AppleWebKit\/537.36", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8290 · (tentative d'exploit) · → /.htpasswd	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.htpasswd UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko/201… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950522:leak-9 http_sensitive_path Cible HTTP GET /.htpasswd TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.htpasswd Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Apache htpasswd LFI Apache htpasswd Ligne de requête `GET /.htpasswd HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko/20100101 Firefox/47.0 Règles WAF rce-0 nosqli-3 leak-9 Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko/20100101 Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko/20100101 Firefox/47.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htpasswd", "http_ua_hash": "ccfb65e77a5b2a1e634e3cbb5a4ceb05c982ed2c", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "ade2de8d21551efb00f221b43821b4acb26b6f79", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.323460969514972, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "62425dc87ff701e8bca114979a2c575224817a1e", "event_fingerprint": "0ecee1da86b021ab87bf7d1b198becc2946c19d6", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0469", "pat-0108" ], "matched_pattern_names": [ "Cred Apache htpasswd", "LFI Apache htpasswd" ], "pattern_ids": [ "pat-0469", "pat-0108" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "eb5bc121522483510e44b31021acc4b2", "payload_hash": "310c05e359d61b1e9d7873e3e0c6a322", "path_pattern_hash": "229c0a4c773f5f9eeec1d298c58088ee" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101", "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101", "evidence": { "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ee950ebc09572de8211b68e09aa392b1fe98ad9", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101", "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101 Firefox\/47.0", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.htpasswd", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:47.0) Gecko\/20100101", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /access.log	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /access.log UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /access.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /access.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /access.log HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 Requête brute (extrait) GET /access.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "log", "http_ua_hash": "4b4d44441cea9a6f69a04e397b310dcf47145d82", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "63438c908367e4f8041717ab279c4d967e15af99", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 249, "payload_entropy": 5.393506883695202, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b08939a1ca03b31b02ccff2d7b984fa141969a2", "event_fingerprint": "35d4fb828e88cbefe8b69f4f0ac3f6403308f4f0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "410496fe29d0f9f579c9e4e5eacd1182", "payload_hash": "c065baae6ddfe57700a03a519837caa6", "path_pattern_hash": "3185fcf0045ab357f9b5c65f6fd9ad4d" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 ", "method": "GET", "path": "\/access.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/access.log HTTP\/1.1", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/access.log", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/access.log HTTP\/1.1", "request_sample": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72f8bb70ca6e3cb340f04454f975931f1d11cfd0", "protocol_details": { "http_method": "GET", "http_path": "\/access.log", "request_line": "GET \/access.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/access.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/access.log", "request_line": "GET \/access.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.0 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/access.log", "evidence_snippet": "GET \/access.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /server.xml	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /server.xml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /server.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /server.xml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Tomcat server.xml Ligne de requête `GET /server.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /server.xml HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "8073fe946fe564c1da0b2d38abe09a9602bc5a79", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "524717bd951511cea8642b855a654b176416ff2d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 244, "payload_entropy": 5.453588375075452, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1b70a2e093ebbd3ad46ed66bfb99d698e25a41c1", "event_fingerprint": "acb61314df9b6c67fc34a9e4f19f5f7af01627cc", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0133" ], "matched_pattern_names": [ "LFI Tomcat server.xml" ], "pattern_ids": [ "pat-0133" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "93845ea38aa170401ed6236fe3497b34", "payload_hash": "d6a931fe5b8905c39d7bb3347df31079", "path_pattern_hash": "d4d89f4ec79feb80a890ebb7bb0f42f9" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/server.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.xml HTTP\/1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/server.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/server.xml HTTP\/1.1", "request_sample": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f713d15e49f23557a82ab31aec91ece81580c10", "protocol_details": { "http_method": "GET", "http_path": "\/server.xml", "request_line": "GET \/server.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.xml", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/server.xml", "request_line": "GET \/server.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/49.0.2623.75 Safari\/537.36", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/server.xml", "evidence_snippet": "GET \/server.xml HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.netrc	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.netrc UA msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950406:ssrf-3 950470:nosqli-3 net_flood Cible HTTP GET /.netrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.netrc Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred Netrc credentials LFI Double-dot bypass Ligne de requête `GET /.netrc HTTP/1.1` User-Agent msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) Accept-Charset: u Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: msnbot-media/1.1 ( http://search.msn.com/msnbot.htm) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "netrc", "http_ua_hash": "1c76ffbff4c60c141cc2e21f2f4246e3b8abb685", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "b7551dc22135c68ecee0a4d011ec4c0b7c771e06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 178, "payload_entropy": 5.036518315429686, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6fd858517765cd0b1f979c52e8fac5d67512de6b", "event_fingerprint": "264782012dcad99eab5c6c5af9e724a9171538a3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0482", "pat-0103" ], "matched_pattern_names": [ "Cred Netrc credentials", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0482", "pat-0103" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9ff6b79ef227555a76aa93991fbffd1", "payload_hash": "ee9a1ac2d83c4ed08d7811899c4a6230", "path_pattern_hash": "5fa317981ba713f7d39164540951d6bb" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: u", "method": "GET", "path": "\/.netrc", "user_agent": "msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: u", "evidence": { "method": "GET", "path": "\/.netrc", "user_agent": "msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: u", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf46b5e9c2a75041c208d8df2b23e02de2be4213", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: u", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.netrc", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: msnbot-media\/1.1 ( http:\/\/search.msn.com\/msnbot.htm)\r\nAccept-Charset: u", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8290 · (tentative d'exploit) · → /.ssh/id_rsa	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/id_rsa UA Mozilla/5.0 (Linux; Android 7.1.1; BBB100-1 Build/NMF26F) Apple… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_id_rsa Cible HTTP GET /.ssh/id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.ssh/id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde clé SSH / id_rsa · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux SIGMA-web-credential-file Http Id Rsa pat-0490 pat-0495 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH key in .ssh Cred SSH private key id_rsa Ligne de requête `GET /.ssh/id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.1; BBB100-1 Build/NMF26F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; BBB100-1 Build/NMF26F) AppleWeb Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; BBB100-1 Build/NMF26F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_rsa", "http_ua_hash": "e6f70c85d2fa5a441c4d7e1553dcd1193756c7bb", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "d951dfd854ab99392c126a2628ec52b85415a678", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.47008588094836, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c37d50a12623ae73187ed71b713206d5be20a7e1", "event_fingerprint": "1ebeba3b8dbcad837ce4d91ac47e16ec98e8a35f", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 393, "precision_signals": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0490", "pat-0495" ], "matched_pattern_names": [ "Cred SSH key in .ssh", "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0490", "pat-0495" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b41ee721ba21f7fa421c347798c990e5", "payload_hash": "4668a6079f516914eeede3d987d5443f", "path_pattern_hash": "6eca2c923ad05fff3eba197c659999e2" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWeb", "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWeb", "evidence": { "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWeb", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7c611b3c6cc3994591ca2d712f8336974b602994", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 M\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWeb", "attack_vector": "credential file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "Http Id Rsa", "pat-0490", "pat-0495" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.125 M\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; BBB100-1 Build\/NMF26F) AppleWeb", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_id_rsa", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /logs/error.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/error.log UA Mozilla/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/error.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /logs/error.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Error log disclosure Ligne de requête `GET /logs/error.log HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit/537. Requête brute (extrait) GET /logs/error.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "82bc08fcd754aebae7cb8412656fd0b2c0b04c8c", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "9d5f558e73ca716aa21e27c6081370ba7dda563b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.37021420032304, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c2604da3999d3b5fc31ace8a8921309a30417714", "event_fingerprint": "a675e7268b09d9830177c0d25f5ab20da22520f5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0115" ], "matched_pattern_names": [ "LFI Error log disclosure" ], "pattern_ids": [ "pat-0115" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "43f45cfe9fd28ea822e7317744b01c05", "payload_hash": "3fb2a87ff6e6c5aeea0fa763175f86c6", "path_pattern_hash": "11a7dc2316512e9b8311ac327e383bb9" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.", "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/logs\/error.log", "user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/error.log HTTP\/1.1", "request_sample": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3afc11c1e2abc4a9d7ac43a74b430f5b8c248e36", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/error.log", "request_line": "GET \/logs\/error.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safar\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/error.log", "evidence_snippet": "GET \/logs\/error.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; moto g(6) plus) AppleWebKit\/537.", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /.pypirc	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.pypirc UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.pypirc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.pypirc Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.pypirc HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KH Requête brute (extrait) GET /.pypirc HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pypirc", "http_ua_hash": "c0323a15455a634ec5e8543ade1d14e97ebbc349", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "4f379f0493c77f8c140c8f093ef7d07d4d18769b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.394242930440192, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "dce731d319a9f7defcb87a331496c627415a612c", "event_fingerprint": "5f76836c2fb7efb21bcfca1624ef6954df09f806", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bc2e3ce6d342be0e9ed225494d09309f", "payload_hash": "9e1e9a5d1db3d07b881a9b0ca7adcfc8", "path_pattern_hash": "f4c8c175cb2aad95cfdfc95e8249602c" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KH", "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KH", "evidence": { "method": "GET", "path": "\/.pypirc", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.pypirc HTTP\/1.1", "request_sample": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KH", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "749c2a20bd67948b1dc4e0782e6c9f2e9fb8c4c3", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KH", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.pypirc", "request_line": "GET \/.pypirc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.pypirc", "evidence_snippet": "GET \/.pypirc HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit\/537.36 (KH", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8290 · (tentative d'exploit) · → /nginx.conf	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /nginx.conf UA Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /nginx.conf TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /nginx.conf Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /nginx.conf HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148;WeRead/4.1.3 (iPad; iOS 12.3.1; Scale/2.00) Règles WAF rce-0 nosqli-3 Payload (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605.1.1 Requête brute (extrait) GET /nginx.conf HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148;WeRead/4.1.3 (iPad; iOS 12.3.1; Scale/2.00) Accept-Charset: utf-8 Accept-Encoding: gzip C Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "conf", "http_ua_hash": "f738946810956c2025d2bf3e12f10f5c055e13c5", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "845c3b2b5656c277525928bf4edf7c41919ad7fa", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 276, "payload_entropy": 5.404416499281826, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5a65f81a3dcaa1d051d989fea19ea36f0ecce5c9", "event_fingerprint": "a5eaeb196624205a2a71c62d492609568be0fddc", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5683bb1b83eff70fd3776af24b7f3e87", "payload_hash": "28e2cda0696569c96bc6d2721f76ac54", "path_pattern_hash": "80f5fa98cca489e2cf5aa551565e088f" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.1", "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.1", "evidence": { "method": "GET", "path": "\/nginx.conf", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/nginx.conf HTTP\/1.1", "request_sample": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iPad; iOS 12.3.1; Scale\/2.00)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.1", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ccf93b4be88acecbeb8e7c6b317a2ca0ac284835", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iP\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.1", "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/nginx.conf", "request_line": "GET \/nginx.conf HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148;WeRead\/4.1.3 (iP\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/nginx.conf", "evidence_snippet": "GET \/nginx.conf HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.1", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:8290 · (tentative d'exploit) · → /id_rsa	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /id_rsa UA LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-… Émulateur HTTP WAF 6 Recommandation Investiguer Tags 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 52 Confiance : Confiance 100 % — Motif catalogue confirmé · 1 tag(s) WAF Signaux SIGMA-web-credential-file pat-0495 Upstream Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH private key id_rsa Ligne de requête `GET /id_rsa HTTP/1.1` User-Agent LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1 Règles WAF nosqli-3 Payload (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1 Acc Requête brute (extrait) GET /id_rsa HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: LG-GC900/V10a Obigo/WAP2.0 Profile/MIDP-2.1 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "fbca39836bcb1c175549b65fb7842f5d026a1c60", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "e7082bf89fb3315806e7ae6952f0a88884c69468", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 192, "payload_entropy": 5.282054885150153, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 32, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 32, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 52, "tag_count": 3, "anomaly_count": 0, "campaign_key": "483f79637922a1e19c5d6abdf13f4290e4378561", "event_fingerprint": "683972b2573a9cd320b36088e14ba5227273c53f", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 195, "precision_signals": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream" ], "matched_patterns": [ "pat-0495" ], "matched_pattern_names": [ "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0495" ], "confidence_breakdown": { "waf": 32, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b142c784a916bec69fe6bdac577850be", "payload_hash": "5d22322e7222dc9ae45aaf6caaf99f37", "path_pattern_hash": "7db94f5d7ea5ac98ea13d8c61becd367" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAcc", "method": "GET", "path": "\/id_rsa", "user_agent": "LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/id_rsa HTTP\/1.1", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAcc", "evidence": { "method": "GET", "path": "\/id_rsa", "user_agent": "LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/id_rsa HTTP\/1.1", "request_sample": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAcc", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f0c8c46068d874d72060ebf12f6ecf89927f6e8", "protocol_details": { "http_method": "GET", "http_path": "\/id_rsa", "request_line": "GET \/id_rsa HTTP\/1.1", "http_user_agent": "LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAcc", "attack_vector": "credential file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/id_rsa", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 32, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "SIGMA-web-credential-file", "pat-0495", "INT-upstream" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "pat-0495", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/id_rsa", "request_line": "GET \/id_rsa HTTP\/1.1", "http_user_agent": "LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/id_rsa", "evidence_snippet": "GET \/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: LG-GC900\/V10a Obigo\/WAP2.0 Profile\/MIDP-2.1 Configuration\/CLDC-1.1\r\nAcc", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /log/debug.log	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /log/debug.log UA Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/3… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_log Cible HTTP GET /log/debug.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /log/debug.log Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Debug log disclosure Ligne de requête `GET /log/debug.log HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32 Requête brute (extrait) GET /log/debug.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:32.0) Gecko/20100101 Firefox/32.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "51be3634ba4e4a58df8e12f83430a343c74959ff", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "3fb5b472f52b8bcac2f6138463cf27ff65b8c633", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.279781450330938, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "865ac79ed3a3a0d23cc880b3d08d16fbbdd1a2ca", "event_fingerprint": "6681de09317e28357a528e1ce8c466359d3c6798", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0110" ], "matched_pattern_names": [ "LFI Debug log disclosure" ], "pattern_ids": [ "pat-0110" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5285b277d72c4ac82f931a2157ac21b8", "payload_hash": "36ca50e868aeb2f31001fed9fc22751e", "path_pattern_hash": "0a13815894d10bbcd047ea689c56dc08" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32", "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32", "evidence": { "method": "GET", "path": "\/log\/debug.log", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/log\/debug.log HTTP\/1.1", "request_sample": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d75f0f50ccc6c493a22c8557f22eef70fae0946b", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/log\/debug.log", "request_line": "GET \/log\/debug.log HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32.0", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/log\/debug.log", "evidence_snippet": "GET \/log\/debug.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:32.0) Gecko\/20100101 Firefox\/32", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_log", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /logs/application.log	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /logs/application.log UA Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_logs Cible HTTP GET /logs/application.log TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /logs/application.log Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 63 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /logs/application.log HTTP/1.1` User-Agent Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Pres Requête brute (extrait) GET /logs/application.log HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "log", "http_ua_hash": "35d3136c872f1aad3a3483c918696798e2b9bfec", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "cdf00c17308c69bcbf2914393a08738de75ce806", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 221, "payload_entropy": 5.201876445162893, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c2604da3999d3b5fc31ace8a8921309a30417714", "event_fingerprint": "d4aa3e7ce33c7be3623f8330610d65dfa786fb48", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "4d7250607667b0ddf1ecee4e057260f2", "payload_hash": "c0b9833eea5ae3e0c7a000f07427b368", "path_pattern_hash": "60fc95e5699c71a682d502bba60586d5" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Pres", "method": "GET", "path": "\/logs\/application.log", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/application.log HTTP\/1.1", "request_sample": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Pres", "evidence": { "method": "GET", "path": "\/logs\/application.log", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/logs\/application.log HTTP\/1.1", "request_sample": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Pres", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "04d14d0ca8b1866af3d47f6bbeb296f55a8272ef", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/application.log", "request_line": "GET \/logs\/application.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Pres", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/application.log", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/logs\/application.log", "request_line": "GET \/logs\/application.log HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto\/2.9.168 Version\/11.52", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/logs\/application.log", "evidence_snippet": "GET \/logs\/application.log HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Pres", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_logs", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /private_key.pem	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /private_key.pem UA Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /private_key.pem TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /private_key.pem Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /private_key.pem HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/53 Requête brute (extrait) GET /private_key.pem HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "pem", "http_ua_hash": "1ec274d544b036124f87314a3dd2781ca6d4e3d0", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "0f51bc792d6f938bb82ea19d1935c3464eb59ea8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.443850882393119, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "dce731d319a9f7defcb87a331496c627415a612c", "event_fingerprint": "e4ecbc4529b815d33c9a78b348998fd80e87c17a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea6f1477f91495e62d79ab8e33b6f2b3", "payload_hash": "91d8d0959b452941cfb2a504f2ae7b50", "path_pattern_hash": "fb2942fad108fb946e981f9671efa9dc" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/53", "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/534.14 (KHTML, like Gecko) Chrome\/9.0.601.0 Safari\/534.14", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/534.14 (KHTML, like Gecko) Chrome\/9.0.601.0 Safari\/534.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/private_key.pem", "user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/534.14 (KHTML, like Gecko) Chrome\/9.0.601.0 Safari\/534.14", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/private_key.pem HTTP\/1.1", "request_sample": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/534.14 (KHTML, like Gecko) Chrome\/9.0.601.0 Safari\/534.14\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/53", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3ea532b81e0edba522d069309c2376d211f5f4f4", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/534.14 (KHTML, like Gecko) Chrome\/9.0.601.0 Safari\/534.14", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/private_key.pem", "request_line": "GET \/private_key.pem HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/534.14 (KHTML, like Gecko) Chrome\/9.0.601.0 Safari\/534.14", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/private_key.pem", "evidence_snippet": "GET \/private_key.pem HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit\/53", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Flood / DDoS http flood · via HTTP:8290 · (tentative d'exploit) · → /sendgrid.js	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /sendgrid.js UA Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) Apple… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_flood Cible HTTP GET /sendgrid.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /sendgrid.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1499 Upstream Waf Score Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /sendgrid.js HTTP/1.1` User-Agent Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML like Gecko) Version/7.0 Mobile/11D167 Safari/123E71C Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWeb Requête brute (extrait) GET /sendgrid.js HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML like Gecko) Version/7.0 Mobile/11D167 Safari/123E71C Accept-Charset: utf-8 Accept-Encoding: gzip Connecti Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "2ce3214e6f6fd4aa2f050acb96e483555dcc17ca", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "af3d72bf73a37ea591ef956266b665cf12d6558b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.394544947976928, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1b70a2e093ebbd3ad46ed66bfb99d698e25a41c1", "event_fingerprint": "da3fbf1349737fac89a3898699db0c05ebc57aa1", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 177, "precision_signals": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3e8ea875e597ee50195c223d7022cee2", "payload_hash": "930e849c9b2ff0b9c52099a86032ec24", "path_pattern_hash": "f692cb581dcfe0e04c53a5afcbe187bf" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWeb", "method": "GET", "path": "\/sendgrid.js", "user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.js HTTP\/1.1", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWeb", "evidence": { "method": "GET", "path": "\/sendgrid.js", "user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sendgrid.js HTTP\/1.1", "request_sample": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11D167 Safari\/123E71C\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti", "payload_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWeb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e658bfc4c31bfb42b13563ca3907f3a17ed5e42d", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.js", "request_line": "GET \/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWeb", "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.js", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "MITRE-T1499", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "MITRE-T1499", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sendgrid.js", "request_line": "GET \/sendgrid.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit\/537.51.2 (KHTML like Gecko) Version\/7.0 Mobile\/11\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sendgrid.js", "evidence_snippet": "GET \/sendgrid.js HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (iPod touch; CPU iPhone OS 7_1 like Mac OS X) AppleWeb", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_flood" ], "asn_dc_heuristic": true }
14/06/2026 11:37:25 UTC	TCP	8290 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:8290 · (tentative d'exploit) · → /.gitconfig	Élevée	Moyen · 53
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.gitconfig UA Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 … Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_flood Cible HTTP GET /.gitconfig TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8290 Chemin / cible /.gitconfig Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitconfig HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 (KHT Requête brute (extrait) GET /.gitconfig HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gitconfig", "http_ua_hash": "6fd06e6e09468f8e8e384343a345edf31007b99c", "http_host_hash": "61a7b1773527c921928661190ee842dd18f42619", "http_target_hash": "4552edeb48a162af2c0944497328c6fed5ef02ec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.385636572879755, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "TW", "dst_port": 8290, "risk_waf": 60, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5a65f81a3dcaa1d051d989fea19ea36f0ecce5c9", "event_fingerprint": "a80777cb535d2a00cc2d0df61b282bc29aff895d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "TW", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "77f79de387d009e7a4290247b156d661", "payload_hash": "40f913bddfa364fd402d0908afe4aeee", "path_pattern_hash": "15182e65e3e4c28fd6667d0a76628de0" }, "target_context": { "dst_port": 8290, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHT", "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHT", "evidence": { "method": "GET", "path": "\/.gitconfig", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitconfig HTTP\/1.1", "request_sample": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHT", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e4a2acf9bbbca583dbfce49976f2b78036553fb", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/53\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHT", "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 53, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8290, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitconfig", "request_line": "GET \/.gitconfig HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/71.0.3578.99 Mobile Safari\/53\u2026", "port": 8290, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:8290 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitconfig", "evidence_snippet": "GET \/.gitconfig HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6) AppleWebKit\/537.36 (KHT", "target_port_label": "8290 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8290" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_flood" ], "asn_dc_heuristic": true }

34.80.75.115

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence