Détails IP 34.95.158.212

Synthèse exécutive

Profil de menace

Score de risque 49/100 Moyen

Première observation 14/06/2026 15:45 UTC

Dernière observation 14/06/2026 15:46 UTC

Événements (période) 60

MITRE ATT&CK principal TA0007 60 occurrences

Activité suspecte · risque 39/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « docker_api_probe » (signaux protocolaires) · confiance 0%

Confiance 0 % — 7 signal(aux) capteur

Comparaison ASN / FAI

ASN 396982 · 34.95.144.0/20 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 60 événements sur la période pour cette IP.

205.210.31.65 Sonde Memcached 17/06/2026 20:24 UTC
198.235.24.172 Scanner web 17/06/2026 20:24 UTC
35.195.254.25 Sonde port 9146/TCP 17/06/2026 20:22 UTC
34.125.34.174 Injection de commande 17/06/2026 20:21 UTC
198.235.24.55 Sonde PostgreSQL 17/06/2026 20:17 UTC
198.235.24.181 Sonde port 17/06/2026 20:17 UTC
205.210.31.168 weblogic probe 17/06/2026 20:16 UTC
198.235.24.196 Sonde port 17/06/2026 20:16 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

205.210.31.65 Sonde Memcached
198.235.24.172 Scanner web
35.195.254.25 Sonde port 9146/TCP
34.125.34.174 Injection de commande
198.235.24.55 Sonde PostgreSQL

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

60 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /static/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.83 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 270, "payload_entropy": 5.3864080949922375, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "02b7773c4eabaf2164fc5521b481872d", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.83\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.103 Safari\/537.36 OPR\/60.0.3255.83\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48ada9e805ba0696af3a820a0bd5d99056f7e7b5", "protocol_details": { "payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/static\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL0 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL0 Requête brute (extrait) GET /assets/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MM Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 415, "payload_entropy": 5.56279383805018, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ef0eac55fe2641aae0c610f14d9cdf5d", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MM", "payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "evidence": { "request_sample": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MM", "payload_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a23dfacfaed4d63e74d9445aa4b89925c9ba2ca3", "protocol_details": { "payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/assets\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL0", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/5 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/5 Requête brute (extrait) GET /dist/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3889.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 255, "payload_entropy": 5.401901498340046, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9ce9404bcd7bc0244fe6fe1d16f2622b", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "evidence": { "request_sample": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d98950814f2bd2aeb6ec18c639e87eb2ecc4a33", "protocol_details": { "payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/dist\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 23
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/ Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 23 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/ Requête brute (extrait) GET /build/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu/~maxim/cgi-bin/Link/GulperBot) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 212, "payload_entropy": 5.265518678014218, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 23, "tag_count": 6, "anomaly_count": 0, "campaign_key": "14c7995c5bda0effdd1f8bfde34b3da17be97442", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8ed3240e29aeb3d992bd6dd812181127", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 23 }, "payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/GulperBot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "evidence": { "request_sample": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/Link\/GulperBot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4dac2ba813d86668dfe6edb036131e536ce5558f", "protocol_details": { "payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 23, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/build\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Gulper Web Bot 0.2.4 (www.ecsl.cs.sunysb.edu\/~maxim\/cgi-bin\/", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D Requête brute (extrait) GET /dashboard/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Debian/1.6-7 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 208, "payload_entropy": 5.30887198191832, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7cb6ac1ab84a338dd096c4d3b1f8915b", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Debian\/1.6-7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "evidence": { "request_sample": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko Debian\/1.6-7\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0719f578abb5de86a417aeb60762910252ed96b4", "protocol_details": { "payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/dashboard\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux; i686; en-US; rv:1.6) Gecko D", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde Elasticsearch elasticsearch probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 49
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/ Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 49 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0341 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) ES admin GET User-Agent — Règles WAF — Payload (extrait) GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/ Requête brute (extrait) GET /admin/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3844.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 256, "payload_entropy": 5.400759761908855, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 49, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0341" ], "kb_rule_ids": [ "pat-0341" ], "matched_patterns": [ "pat-0341" ], "matched_pattern_names": [ "ES admin GET" ], "pattern_ids": [ "pat-0341" ], "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5597a98bd3dad5ded5b65b9d1412a28c", "path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 49 }, "payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "evidence": { "request_sample": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3844.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "909bfa101a551ed5b8aac754fa146e1f424442d1", "protocol_details": { "payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "attack_vector": "elasticsearch probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 49 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 49, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0341" ], "tags_summary_labels_fr": [ "pat-0341" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "elasticsearch probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/admin\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 2, "behavior_priority": 72 }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 23
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: SonyEricssonT100/R101 Accept-Charset: utf-8 Accept-Encodi Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 23 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: SonyEricssonT100/R101 Accept-Charset: utf-8 Accept-Encodi Requête brute (extrait) GET /portal/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: SonyEricssonT100/R101 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 159, "payload_entropy": 5.06633641575862, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 23, "tag_count": 6, "anomaly_count": 0, "campaign_key": "14c7995c5bda0effdd1f8bfde34b3da17be97442", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b59f344296c8b96ba50898271df55674", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 23 }, "payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "evidence": { "request_sample": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a6ed1bd6618f672dc5f3f9b6b9a7cc728dc2e4b5", "protocol_details": { "payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 23, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/portal\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonT100\/R101\r\nAccept-Charset: utf-8\r\nAccept-Encodi", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 5.1; C6740N Build/LMY47O) AppleWe Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 5.1; C6740N Build/LMY47O) AppleWe Requête brute (extrait) GET /shop/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 5.1; C6740N Build/LMY47O) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connect Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 270, "payload_entropy": 5.441004166418746, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "70a3f8f0257ae6666f62a61d04435f37", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "evidence": { "request_sample": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect", "payload_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44f8066da4fe6d8b1cebcbbf1766ddc94251830a", "protocol_details": { "payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/shop\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 5.1; C6740N Build\/LMY47O) AppleWe", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/5 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/5 Requête brute (extrait) GET /blog/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 256, "payload_entropy": 5.400896222470727, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d968f951ffd965fe721b1538ad204b06", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "evidence": { "request_sample": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f31f81df097c61f201cd9d328da2f726b3fef456", "protocol_details": { "payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/blog\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/5", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (K Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (K Requête brute (extrait) GET /site/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 249, "payload_entropy": 5.410289482381773, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1c4213222345f89b99a87c6ca5623386", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "evidence": { "request_sample": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2fb824fdf6f7c3d7ccdde6bd3f80ef624c5ff3e2", "protocol_details": { "payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/site\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (K", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build/P Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build/P Requête brute (extrait) GET /wp-content/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Chars Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 311, "payload_entropy": 5.4984952935298255, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7ebff01ec3d246a7a061a896c95ac50d", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Chars", "payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "evidence": { "request_sample": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Chars", "payload_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4441aaa66331fd80790108caa95ff72e51c5b9c0", "protocol_details": { "payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/wp-content\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G965W Build\/P", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /laravel/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 252, "payload_entropy": 5.4113823766308755, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a023ea76ad695e726bdce067b81d5b86", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "evidence": { "request_sample": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/60.0.3112.90 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3d6e2e788b4f56ec788cd548ca4d2d01b312308", "protocol_details": { "payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/laravel\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.3", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/ Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/ Requête brute (extrait) GET /wordpress/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Fennec/2.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 232, "payload_entropy": 5.264313129345864, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "af73c889c0dae748255bc1c91cba44f7", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1 Fennec\/2.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "evidence": { "request_sample": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1 Fennec\/2.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37b0ca38d959afb29dfe76e5d5605e7bd1ff5781", "protocol_details": { "payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/wordpress\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686 on x86_64; rv:2.0.1) Gecko\/", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 23
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Opera/8.01 (J2ME/MIDP; Opera Mini/1.0.1479/HiFi; SonyErics Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 23 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Opera/8.01 (J2ME/MIDP; Opera Mini/1.0.1479/HiFi; SonyErics Requête brute (extrait) GET /project/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Opera/8.01 (J2ME/MIDP; Opera Mini/1.0.1479/HiFi; SonyEricsson P900; no; U; ssr) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 218, "payload_entropy": 5.2922194929770665, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 23, "tag_count": 6, "anomaly_count": 0, "campaign_key": "14c7995c5bda0effdd1f8bfde34b3da17be97442", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "774a795927e4e02490fb9b6128382f99", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 23 }, "payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyEricsson P900; no; U; ssr)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "evidence": { "request_sample": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyEricsson P900; no; U; ssr)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e4456a33c095ae631dbbf39e227f6422b6121cba", "protocol_details": { "payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 23, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/project\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Opera\/8.01 (J2ME\/MIDP; Opera Mini\/1.0.1479\/HiFi; SonyErics", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534. Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534. Requête brute (extrait) GET /symfony/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit/534.35 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.35 Puffin/2.9174AP Accept-Charset: utf-8 Accept-Encoding: gzip Connectio Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 268, "payload_entropy": 5.472519754018971, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3f336ac4bc3ce4ba6eb24cd2b22adcd4", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "evidence": { "request_sample": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.35 (KHTML, like Gecko) Chrome\/11.0.696.65 Safari\/534.35 Puffin\/2.9174AP\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnectio", "payload_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bb56af0a793a6f96e822bde4bde232d5b381ed53", "protocol_details": { "payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/symfony\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-gb) AppleWebKit\/534.", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:02 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (l Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (l Requête brute (extrait) GET /code/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.2; Linux) KHTML/4.2.4 (like Gecko) Slackware/13.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 222, "payload_entropy": 5.321194145258757, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7faa8519bc8f31ddcc47511e73891943", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "evidence": { "request_sample": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (like Gecko) Slackware\/13.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3445b6ddc4eef86d7b4132553198d0b803ef900", "protocol_details": { "payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/code\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.2; Linux) KHTML\/4.2.4 (l", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 251, "payload_entropy": 5.386338317691116, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dfe6cb95bc015dec674c7c1a50fdf5ea", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f533b21a305385dba24c269297808941226c17ac", "protocol_details": { "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Z971) AppleWebKit\/537.36 (KHTML", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 23
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Nokia6630/1.0 (2.39.15) SymbianOS/8.0 Series60/2.6 Profile/MID Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 23 Confiance : Confiance 0 % — 6 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Nokia6630/1.0 (2.39.15) SymbianOS/8.0 Series60/2.6 Profile/MID Requête brute (extrait) GET /src/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Nokia6630/1.0 (2.39.15) SymbianOS/8.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 225, "payload_entropy": 5.3067674974943895, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 23, "tag_count": 6, "anomaly_count": 0, "campaign_key": "14c7995c5bda0effdd1f8bfde34b3da17be97442", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6241286321afe9c7effc4b82e48dceac", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 23 }, "payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "evidence": { "request_sample": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a5aac7a33e630d0f69d6bfda138736e90222b4f", "protocol_details": { "payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 23 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 23, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/src\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Nokia6630\/1.0 (2.39.15) SymbianOS\/8.0 Series60\/2.6 Profile\/MID", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi Requête brute (extrait) GET /frontend/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1664.3 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 258, "payload_entropy": 5.381146210677749, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c139b00a2b4abcf38dde6016f02c6ae3", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1664.3 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "evidence": { "request_sample": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/32.0.1664.3 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "payload_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89e65f22ecb61c982c40ad0b063e8ebe20ea8439", "protocol_details": { "payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/frontend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKi", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /backend/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 245, "payload_entropy": 5.415652035372274, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5dc2135eb319eeb65379195173b295c0", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/35.0.1916.153 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/35.0.1916.153 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f562bde59ca91499bb081de9dc5d77a1da4e436a", "protocol_details": { "payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/backend\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; FreeBSD amd64) AppleWebKit\/537.36 (KHTML", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (compatible; archive.org_bot; Wayback Machine Live Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass User-Agent — Règles WAF — Payload (extrait) GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (compatible; archive.org_bot; Wayback Machine Live Requête brute (extrait) GET /app/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (compatible; archive.org_bot; Wayback Machine Live Record; +http://archive.org/details/archive.org_bot) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 250, "payload_entropy": 5.20589430443772, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c67f1bb0e5beba519aefe3e0393d6dbc", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live Record; +http:\/\/archive.org\/details\/archive.org_bot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "evidence": { "request_sample": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live Record; +http:\/\/archive.org\/details\/archive.org_bot)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a5cf1d286ddf372d71500d0021f0df1c738a6eff", "protocol_details": { "payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/app\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (compatible; archive.org_bot; Wayback Machine Live", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe Requête brute (extrait) GET /api/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393 Accept-Charset: utf-8 Accept-Encoding: gzip C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 276, "payload_entropy": 5.459398553009815, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "99692d2a5bb6b35ac68b6fbbc318aa5e", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/51.0.2704.79 Safari\/537.36 Edge\/14.14393\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "evidence": { "request_sample": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/51.0.2704.79 Safari\/537.36 Edge\/14.14393\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nC", "payload_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "209f7f2168fae88850e11edb273c87a8484671bb", "protocol_details": { "payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/api\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; ARM; Lumia 950 Dual SIM) AppleWe", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; vivo 1805) AppleWebKit/537.36 (K Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; vivo 1805) AppleWebKit/537.36 (K Requête brute (extrait) GET /v1/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; vivo 1805) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 256, "payload_entropy": 5.373676734021799, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5f2e544f2448f83a21e1a0c7d44117cd", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "evidence": { "request_sample": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.101 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a294e17fdfb4db3c68eaaaf69fd66450a7d5500c", "protocol_details": { "payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/v1\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; vivo 1805) AppleWebKit\/537.36 (K", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil Requête brute (extrait) GET /www/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Build/OPM1.171019.011) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrows Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 336, "payload_entropy": 5.439134902164573, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7caefdbce01efd3bbad8b552c930000a", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Build\/OPM1.171019.011) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrows", "payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "evidence": { "request_sample": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Build\/OPM1.171019.011) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/71.0.3578.141 Mobile Safari\/537.36 XiaoMi\/MiuiBrows", "payload_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "274de1b57bd9a0931cfd3ca78ef996255d0a7c59", "protocol_details": { "payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/www\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; es-us; Redmi Note 5 Buil", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 2, "behavior_priority": 72 }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060 Requête brute (extrait) GET /v3/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 MG(Novarra-Vision/6.9) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.364623757116808, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "366db6e000fca87636ab5662acd4d2ee", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060909 Firefox\/1.5.0.7 MG(Novarra-Vision\/6.9)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "evidence": { "request_sample": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060909 Firefox\/1.5.0.7 MG(Novarra-Vision\/6.9)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd993631a356a4c60f61f5abd637f2f26b10e691", "protocol_details": { "payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/v3\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko\/20060", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /v2/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Linux; Android 9; Pixel) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 252, "payload_entropy": 5.392583387151964, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bfed8b46bc6943db5991aecd12a12fc6", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "evidence": { "request_sample": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72a72f35572f176084b61fbe1f1ac2cbd0aecfb9", "protocol_details": { "payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/v2\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Pixel) AppleWebKit\/537.36 (KHTML", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/53 Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/53 Requête brute (extrait) GET /web/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 254, "payload_entropy": 5.401038823616682, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "42f690bdd071bed1e4b04cb8e133f899", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "evidence": { "request_sample": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b32a1389f6bd95361e360abbca408eb1deb90a78", "protocol_details": { "payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/web\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/53", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: SonyEricssonW950i/R100 Mozilla/4.0 (compatible; MSIE 6.0; Sym Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: SonyEricssonW950i/R100 Mozilla/4.0 (compatible; MSIE 6.0; Sym Requête brute (extrait) GET /html/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: SonyEricssonW950i/R100 Mozilla/4.0 (compatible; MSIE 6.0; Symbian OS; 323) Opera 8.60 [en-US] Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 229, "payload_entropy": 5.374891486371702, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3624fa8fd4640a1fa0dc13bbe6b1ccf1", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Symbian OS; 323) Opera 8.60 [en-US]\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "evidence": { "request_sample": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Symbian OS; 323) Opera 8.60 [en-US]\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "639c659b00668967415f4e5992c08db2231ab0d9", "protocol_details": { "payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/html\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: SonyEricssonW950i\/R100 Mozilla\/4.0 (compatible; MSIE 6.0; Sym", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, lik Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, lik Requête brute (extrait) GET /htdocs/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/538.1 (KHTML, like Gecko) QupZilla/1.8.6 Safari/538.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 233, "payload_entropy": 5.36005103356116, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6fe026e3d8565c5ee77eca0ec702fb13", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "evidence": { "request_sample": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, like Gecko) QupZilla\/1.8.6 Safari\/538.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a028e859c3b33804189cf9ce268bb4e507f82a7", "protocol_details": { "payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/htdocs\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/538.1 (KHTML, lik", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:01 UTC	TCP	2375 · DOCKER	docker	Sonde API Docker docker api probe · via DOCKER:2375 · (sonde / probe)	Élevée	Faible · 39
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/ Pourquoi cette classification : Type « docker_api_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 39 Confiance : Confiance 0 % — 7 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/ Requête brute (extrait) GET /public/.git/config HTTP/1.1 Host: 62.3.50.33:2375 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 221, "payload_entropy": 5.280925045971323, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.5, "risk_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 39, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e0fdfbf47062ae238205c30d2d049b8e075a23f9", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "662bcf9331a2da3db4567de63ab9950e", "path_pattern_hash": "f1831d9f4a5a77b3112c071eb8abe3e6" }, "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 39 }, "payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "evidence": { "request_sample": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/7.0; .NET4.0E; .NET4.0C)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "cloud_infra_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfa9c60f6832401d7cce0c56680d952dbad13968", "protocol_details": { "payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab docker_api_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 39\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 60, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 39 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 39, "risk_label": "Faible", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "docker api probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/public\/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2375\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident\/", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 0 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "http_get_probe", "mozi_pattern", "net_docker_api_probe", "redis_config_probe" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��0ro��c$��e):��/�@��څ ��~��v��i�;t+.�)�0l�u\|�qು�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��0ro��c$��e):��/�@��څ ��~��v��i�;t+.�)�0l�u\|�qು�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��0ro��c$��e):��/�@��څ ��~��v��i�;t+.�)�0l�u\|�qು�&�+�/�,�0̨̩� �� /5� w �+3&$ e��" �fe�b��a��0S4 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.816259100697941, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "865cd92122070d7f9f10a57e3420c33e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0ro\b\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\u0000\ufffd@\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t\u0010+.\ufffd)\ufffd0l\ufffd\u0012u\|\ufffdq\u0cc1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0ro\b\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\u0000\ufffd@\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t\u0010+.\ufffd)\ufffd0l\ufffd\u0012u\|\ufffdq\u0cc1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001fe\ufffd\ufffd\"\u0012\r\u001b\ufffdfe\u0006\ufffd\u0017\u0000b\ufffd\ufffd\ufffd\ufffda\ufffd\u001f\ufffd\ufffd\ufffd\u00140S4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0ro\b\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\u0000\ufffd@\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t\u0010+.\ufffd)\ufffd0l\ufffd\u0012u\|\ufffdq\u0cc1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28bc1bda76006fc95aa9d58233deae19cd9af7d6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0ro\b\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\u0000\ufffd@\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t\u0010+.\ufffd)\ufffd0l\ufffd\u0012u\|\ufffdq\u0cc1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd0ro\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t+.\ufffd)\ufffd0l\ufffdu\|\ufffdq\u0cc1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0ro\b\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\u0000\ufffd@\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t\u0010+.\ufffd)\ufffd0l\ufffd\u0012u\|\ufffdq\u0cc1\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd0ro\ufffd\ufffd\ufffd\ufffdc$\ufffd\ufffde):\ufffd\ufffd\ufffd\/\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd\u0685 \ufffd\ufffd\ufffd~\ufffd\ufffdv\ufffd\ufffd\ufffdi\ufffd;t+.\ufffd)\ufffd0l\ufffdu\|\ufffdq\u0cc1\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��X�W2O��6op�_%��y�H�4�<BH+ Id�=�'��;i4��E�`�qm�9�ȣk&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��X�W2O��6op�_%��y�H�4�<BH+ Id�=�'��;i4��E�`�qm�9�ȣk&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��X�W2O��6op�_%��y�H�4�<BH+ Id�=�'��;i4��E�`�qm�9�ȣk&�+�/�,�0̨̩� �� /5� w �+3&$ FU�8 ��6�?yZ >F��KU��v�A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.866658223038385, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b3ff11a19abb2177acb81ecc04c95c66", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003X\ufffdW2O\ufffd\u0013\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd\u0006<BH+\u001b Id\ufffd=\ufffd'\ufffd\u0002\ufffd\u001a\ufffd;i4\ufffd\ufffd\ufffd\ufffd\bE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003X\ufffdW2O\ufffd\u0013\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd\u0006<BH+\u001b Id\ufffd=\ufffd'\ufffd\u0002\ufffd\u001a\ufffd;i4\ufffd\ufffd\ufffd\ufffd\bE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 FU\ufffd8\u0014 \ufffd\ufffd\ufffd6\ufffd?\u0014yZ\t>F\ufffd\u0014\ufffdKU\b\ufffd\ufffd\ufffdv\u0001\ufffdA\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003X\ufffdW2O\ufffd\u0013\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd\u0006<BH+\u001b Id\ufffd=\ufffd'\ufffd\u0002\ufffd\u001a\ufffd;i4\ufffd\ufffd\ufffd\ufffd\bE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dddc61e32d3c1c23c51f956016546ada3d9c4674", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003X\ufffdW2O\ufffd\u0013\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd\u0006<BH+\u001b Id\ufffd=\ufffd'\ufffd\u0002\ufffd\u001a\ufffd;i4\ufffd\ufffd\ufffd\ufffd\bE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffdX\ufffdW2O\ufffd\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd<BH+ Id\ufffd=\ufffd'\ufffd\ufffd\ufffd;i4\ufffd\ufffd\ufffd\ufffdE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003X\ufffdW2O\ufffd\u0013\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd\u0006<BH+\u001b Id\ufffd=\ufffd'\ufffd\u0002\ufffd\u001a\ufffd;i4\ufffd\ufffd\ufffd\ufffd\bE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdX\ufffdW2O\ufffd\ufffd\ufffd\ufffd\ufffd6op\ufffd_%\ufffd\ufffd\ufffdy\ufffdH\ufffd4\ufffd<BH+ Id\ufffd=\ufffd'\ufffd\ufffd\ufffd;i4\ufffd\ufffd\ufffd\ufffdE\ufffd`\ufffdqm\ufffd9\ufffd\u0223k&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��A�h�ꒃ@A�31.��m��G��k��j b b�<ss��'����rw8��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��A�h�ꒃ@A�31.��m��G��k��j b b�<ss��'����rw8��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A�h�ꒃ@A�31.��m��G��k��j b b�<ss��'����rw8��&�+�/�,�0̨̩� �� /5� w �+3&$ �Q��+�m�� 3�cʀ��a2�˸b��h Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.831037668302081, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "699fb5c9f5d0ef53a59ef3512ce8a509", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\u0001\ufffdh\ufffd\ua483\u0019@A\u0007\ufffd3\u00151.\ufffd\ufffdm\ufffd\ufffd\u0011G\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\u0011\r\u0019b\ufffd<ss\ufffd\u000f\ufffd'\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\u000f\ufffd\ufffd\ufffdrw8\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\u0001\ufffdh\ufffd\ua483\u0019@A\u0007\ufffd3\u00151.\ufffd\ufffdm\ufffd\ufffd\u0011G\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\u0011\r\u0019b\ufffd<ss\ufffd\u000f\ufffd'\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\u000f\ufffd\ufffd\ufffdrw8\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdQ\ufffd\ufffd\ufffd+\ufffdm\u0004\u0019\ufffd\ufffd\r3\ufffdc\u0280\ufffd\ufffd\ufffd\ufffda2\ufffd\u02f8b\ufffd\ufffdh", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\u0001\ufffdh\ufffd\ua483\u0019@A\u0007\ufffd3\u00151.\ufffd\ufffdm\ufffd\ufffd\u0011G\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\u0011\r\u0019b\ufffd<ss\ufffd\u000f\ufffd'\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\u000f\ufffd\ufffd\ufffdrw8\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0a40ab73d49446dfca691affb256e0e4fcb08e7e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\u0001\ufffdh\ufffd\ua483\u0019@A\u0007\ufffd3\u00151.\ufffd\ufffdm\ufffd\ufffd\u0011G\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\u0011\r\u0019b\ufffd<ss\ufffd\u000f\ufffd'\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\u000f\ufffd\ufffd\ufffdrw8\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffdA\ufffdh\ufffd\ua483@A\ufffd31.\ufffd\ufffdm\ufffd\ufffdG\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\rb\ufffd<ss\ufffd\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdrw8\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\u0001\ufffdh\ufffd\ua483\u0019@A\u0007\ufffd3\u00151.\ufffd\ufffdm\ufffd\ufffd\u0011G\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\u0011\r\u0019b\ufffd<ss\ufffd\u000f\ufffd'\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\u000f\ufffd\ufffd\ufffdrw8\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdA\ufffdh\ufffd\ua483@A\ufffd31.\ufffd\ufffdm\ufffd\ufffdG\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffdj b\rb\ufffd<ss\ufffd\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd\ufffdrw8\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��&x��J�� ^�t��玱 �ޓ��N.�� =�ߗkn� wt�!WO�>qbG�.ԤSz�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��&x��J�� ^�t��玱�ޓ��N.�� =�ߗkn� wt�!WO�>qbG�.ԤSz�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��&x��J�� ^�t��玱 �ޓ��N.�� =�ߗkn� wt�!WO�>qbG�.ԤSz�&�+�/�,�0̨̩� �� /5� w �+3&$ r� n�˘-?f�s��[��R��D:�sM-�F Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.88381976165711, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5f367f5c1149847155ddc206df2689b1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&x\ufffd\ufffd\u0007\ufffdJ\ufffd\u0014\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\u000b\ufffd\u0793\ufffd\ufffdN.\ufffd\u0001\ufffd =\ufffd\u0005\u07d7\u0015kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524\u001dSz\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&x\ufffd\ufffd\u0007\ufffdJ\ufffd\u0014\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\u000b\ufffd\u0793\ufffd\ufffdN.\ufffd\u0001\ufffd =\ufffd\u0005\u07d7\u0015kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524\u001dSz\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 r\ufffd\rn\ufffd\u02d8-?f\ufffds\ufffd\ufffd\ufffd[\u0003\ufffd\ufffdR\ufffd\ufffdD:\u0001\ufffdsM-\ufffdF", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&x\ufffd\ufffd\u0007\ufffdJ\ufffd\u0014\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\u000b\ufffd\u0793\ufffd\ufffdN.\ufffd\u0001\ufffd =\ufffd\u0005\u07d7\u0015kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524\u001dSz\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b08deb60bba41c1d805a2a5fcce7288ecf969a4a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&x\ufffd\ufffd\u0007\ufffdJ\ufffd\u0014\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\u000b\ufffd\u0793\ufffd\ufffdN.\ufffd\u0001\ufffd =\ufffd\u0005\u07d7\u0015kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524\u001dSz\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd&x\ufffd\ufffd\ufffdJ\ufffd\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\ufffd\u0793\ufffd\ufffdN.\ufffd\ufffd =\ufffd\u07d7kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524Sz\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003&x\ufffd\ufffd\u0007\ufffdJ\ufffd\u0014\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\u000b\ufffd\u0793\ufffd\ufffdN.\ufffd\u0001\ufffd =\ufffd\u0005\u07d7\u0015kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524\u001dSz\u0006\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd&x\ufffd\ufffd\ufffdJ\ufffd\ufffd\r\ufffd\ufffd^\ufffdt\ufffd\ufffd\u73b1\ufffd\u0793\ufffd\ufffdN.\ufffd\ufffd =\ufffd\u07d7kn\ufffd\nwt\ufffd!WO\ufffd>qbG\ufffd.\u0524Sz\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��H8{#��+!�?re޸xv5�D�'�OC0� Y�m�^��gβ�pF�T�Yr�&�㨂i�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��H8{#��+!�?re޸xv5�D�'�OC0� Y�m�^��gβ�pF�T�Yr�&�㨂i�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��H8{#��+!�?re޸xv5�D�'�OC0� Y�m�^��gβ�pF�T�Yr�&�㨂i�&�+�/�,�0̨̩� �� /5� w �+3&$ ��Zg�3�J43/"�n<�s��b��> Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.855259782521829, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3d07a2be4c6998c5d30581d8d0072955", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0006\u0003H8{#\ufffd\ufffd\ufffd+!\ufffd?\u0018re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\u0001\ufffd Y\ufffd\u001em\ufffd^\u0019\u0006\ufffd\b\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0006\u0003H8{#\ufffd\ufffd\ufffd+!\ufffd?\u0018re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\u0001\ufffd Y\ufffd\u001em\ufffd^\u0019\u0006\ufffd\b\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001e\ufffd\ufffdZg\ufffd3\ufffdJ43\ue7d6\/\"\ufffdn<\ufffds\ufffd\ufffd\ufffdb\ufffd\ufffd\u0016>", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0006\u0003H8{#\ufffd\ufffd\ufffd+!\ufffd?\u0018re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\u0001\ufffd Y\ufffd\u001em\ufffd^\u0019\u0006\ufffd\b\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea159a1ee3c079420c8f5df6c8e63e6d991c8539", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0006\u0003H8{#\ufffd\ufffd\ufffd+!\ufffd?\u0018re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\u0001\ufffd Y\ufffd\u001em\ufffd^\u0019\u0006\ufffd\b\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffdH8{#\ufffd\ufffd\ufffd+!\ufffd?re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\ufffd Y\ufffdm\ufffd^\ufffd\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0006\u0003H8{#\ufffd\ufffd\ufffd+!\ufffd?\u0018re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\u0001\ufffd Y\ufffd\u001em\ufffd^\u0019\u0006\ufffd\b\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdH8{#\ufffd\ufffd\ufffd+!\ufffd?re\u07b8xv5\ufffdD\ufffd'\ufffdOC0\ufffd Y\ufffdm\ufffd^\ufffd\ufffdg\u03b2\u0088\ufffdpF\ufffdT\ufffdYr\ufffd&\ufffd\u3a02i\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��Ѥ2%���E��F$+��e� [R�ӄ�E �h"��Õ�E�C�ʾ��_0 �#�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ѥ2%���E��F$+��e�[R�ӄ�E �h"��Õ�E�C�ʾ��_0 �#�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ѥ2%���E��F$+��e� [R�ӄ�E �h"��Õ�E�C�ʾ��_0 �#�&�+�/�,�0̨̩� �� /5� w �+3&$ �d�O��Q��B�i!��,��)��)- Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.8149237963580465, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d1a77d3aeff69d3d09b75a73e4a8d2d6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04642%\ufffd\ufffd\ufffdE\ufffd\ufffdF\u000e$+\ufffd\ufffde\ufffd\u000b\u000f[R\ufffd\u04c4\ufffdE\f\u0011 \ufffdh\"\ufffd\ufffd\u0016\ufffd\u00d5\u001c\ufffd\u0002E\ufffdC\ufffd\u02be\ufffd\u001d\ufffd\ufffd_\u0005\u00180\n\ufffd#\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04642%\ufffd\ufffd\ufffdE\ufffd\ufffdF\u000e$+\ufffd\ufffde\ufffd\u000b\u000f[R\ufffd\u04c4\ufffdE\f\u0011 \ufffdh\"\ufffd\ufffd\u0016\ufffd\u00d5\u001c\ufffd\u0002E\ufffdC\ufffd\u02be\ufffd\u001d\ufffd\ufffd_\u0005\u00180\n\ufffd#\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdd\ufffdO\ufffd\ufffd\ufffdQ\u0001\ufffd\ufffd\ufffdB\ufffdi!\ufffd\ufffd,\ufffd\u0019\ufffd)\ufffd\ufffd\ufffd\u001d\ufffd)-", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04642%\ufffd\ufffd\ufffdE\ufffd\ufffdF\u000e$+\ufffd\ufffde\ufffd\u000b\u000f[R\ufffd\u04c4\ufffdE\f\u0011 \ufffdh\"\ufffd\ufffd\u0016\ufffd\u00d5\u001c\ufffd\u0002E\ufffdC\ufffd\u02be\ufffd\u001d\ufffd\ufffd_\u0005\u00180\n\ufffd#\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7130695df5a0b7db45e9f23c3f4054e761baf730", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04642%\ufffd\ufffd\ufffdE\ufffd\ufffdF\u000e$+\ufffd\ufffde\ufffd\u000b\u000f[R\ufffd\u04c4\ufffdE\f\u0011 \ufffdh\"\ufffd\ufffd\u0016\ufffd\u00d5\u001c\ufffd\u0002E\ufffdC\ufffd\u02be\ufffd\u001d\ufffd\ufffd_\u0005\u00180\n\ufffd#\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\u04642%\ufffd\ufffd\ufffdE\ufffd\ufffdF$+\ufffd\ufffde\ufffd[R\ufffd\u04c4\ufffdE \ufffdh\"\ufffd\ufffd\ufffd\u00d5\ufffdE\ufffdC\ufffd\u02be\ufffd\ufffd\ufffd_0\n\ufffd#\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u04642%\ufffd\ufffd\ufffdE\ufffd\ufffdF\u000e$+\ufffd\ufffde\ufffd\u000b\u000f[R\ufffd\u04c4\ufffdE\f\u0011 \ufffdh\"\ufffd\ufffd\u0016\ufffd\u00d5\u001c\ufffd\u0002E\ufffdC\ufffd\u02be\ufffd\u001d\ufffd\ufffd_\u0005\u00180\n\ufffd#\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\u04642%\ufffd\ufffd*\ufffdE\ufffd\ufffdF$+\ufffd\ufffde\ufffd[R\ufffd\u04c4\ufffdE \ufffdh\"\ufffd\ufffd\ufffd\u00d5\ufffdE\ufffdC\ufffd\u02be\ufffd\ufffd\ufffd_0\n\ufffd#\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��=�3MI�X��[��ηq�j��c�j�� <�Ww�Z�Շ��[��%��F�1Q��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��=�3MI�X��[��ηq�j��c�j�� <�Ww�Z�Շ��[��%��F�1Q��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��=�3MI�X��[��ηq�j��c�j�� <�Ww�Z�Շ��[��%��F�1Q��&�+�/�,�0̨̩� �� /5� w �+3&$ nq{?5X\.[��=q�N��H��x�)$��" Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.831981261621388, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c8c646f63122b72ed3f14182a2776d65", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=\ufffd\u00003MI\ufffdX\ufffd\ufffd\ufffd[\u000f\ufffd\ufffd\u03b7q\ufffdj\ufffd\u0001\ufffd\u0017c\ufffdj\ufffd\u001e\b\ufffd <\ufffdW\u0012w\ufffd\u0014Z\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd\u0004%\ufffd\ufffdF\ufffd1Q\u0018\ufffd\ufffd\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=\ufffd\u00003MI\ufffdX\ufffd\ufffd\ufffd[\u000f\ufffd\ufffd\u03b7q\ufffdj\ufffd\u0001\ufffd\u0017c\ufffdj\ufffd\u001e\b\ufffd <\ufffdW\u0012w\ufffd\u0014Z\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd\u0004%\ufffd\ufffdF\ufffd1Q\u0018\ufffd\ufffd\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0018nq{?5X\\.[\ufffd\ufffd\ufffd=q\ufffdN\ufffd\ufffd\ufffdH\ufffd\ufffd\u0005x\ufffd)$\ufffd\ufffd\"\u0017", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=\ufffd\u00003MI\ufffdX\ufffd\ufffd\ufffd[\u000f\ufffd\ufffd\u03b7q\ufffdj\ufffd\u0001\ufffd\u0017c\ufffdj\ufffd\u001e\b\ufffd <\ufffdW\u0012w\ufffd\u0014Z\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd\u0004%\ufffd\ufffdF\ufffd1Q\u0018\ufffd\ufffd\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8b8d489f1787e7b313a6e0cc35dbfba32487a88b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=\ufffd\u00003MI\ufffdX\ufffd\ufffd\ufffd[\u000f\ufffd\ufffd\u03b7q\ufffdj\ufffd\u0001\ufffd\u0017c\ufffdj\ufffd\u001e\b\ufffd <\ufffdW\u0012w\ufffd\u0014Z\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd\u0004%\ufffd\ufffdF\ufffd1Q\u0018\ufffd\ufffd\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd=\ufffd3MI\ufffdX\ufffd\ufffd\ufffd[\ufffd\ufffd\u03b7q\ufffdj\ufffd\ufffdc\ufffdj\ufffd\ufffd <\ufffdWw\ufffdZ\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd%\ufffd\ufffdF\ufffd1Q\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=\ufffd\u00003MI\ufffdX\ufffd\ufffd\ufffd[\u000f\ufffd\ufffd\u03b7q\ufffdj\ufffd\u0001\ufffd\u0017c\ufffdj\ufffd\u001e\b\ufffd <\ufffdW\u0012w\ufffd\u0014Z\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd\u0004%\ufffd\ufffdF\ufffd1Q\u0018\ufffd\ufffd\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd=\ufffd3MI\ufffdX\ufffd\ufffd\ufffd[\ufffd\ufffd\u03b7q\ufffdj\ufffd\ufffdc\ufffdj\ufffd\ufffd <\ufffd*Ww\ufffdZ\ufffd\u0547\ufffd\ufffd[\ufffd\ufffd%\ufffd\ufffdF\ufffd1Q\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��.kW,])�v ��tC0��a�6� F�d��uG�h��绘��#��o&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��.kW,])�v��tC0��a�6� F�d��uG�h��绘��#��o&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��.kW,])�v ��tC0��a�6� F�d��uG�h��绘��#��o&�+�/�,�0̨̩� �� /5� w �+3&$ 6~Q[��S�\|�JH��X��h�B� �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.832067030045769, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "553bf0fb470061d2589d2659ec4e26de", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0085\u0004\ufffd.kW,])\ufffdv\u0015\u000b\ufffd\ufffd\ufffdtC\u00000\ufffd\ufffda\ufffd6\ufffd\u0004 F\u0015\ufffdd\ufffd\ufffd\ufffd\ufffd\u0010\u0018\ufffd\ufffduG\ufffdh\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0085\u0004\ufffd.kW,])\ufffdv\u0015\u000b\ufffd\ufffd\ufffdtC\u00000\ufffd\ufffda\ufffd6\ufffd\u0004 F\u0015\ufffdd\ufffd\ufffd\ufffd\ufffd\u0010\u0018\ufffd\ufffduG\ufffdh\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a6~Q[\ufffd\ufffd\ufffdS\ufffd\|\ufffdJH\ufffd\ufffd\ufffd\ufffd\u0014X\ufffd\ufffdh\ufffdB\ufffd\u000b\ufffd\ufffd\u0019\u0011", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0085\u0004\ufffd.kW,])\ufffdv\u0015\u000b\ufffd\ufffd\ufffdtC\u00000\ufffd\ufffda\ufffd6\ufffd\u0004 F\u0015\ufffdd\ufffd\ufffd\ufffd\ufffd\u0010\u0018\ufffd\ufffduG\ufffdh\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b8faa4c126d38a104096ecf7e1d716900de9031c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0085\u0004\ufffd.kW,])\ufffdv\u0015\u000b\ufffd\ufffd\ufffdtC\u00000\ufffd\ufffda\ufffd6\ufffd\u0004 F\u0015\ufffdd\ufffd\ufffd\ufffd\ufffd\u0010\u0018\ufffd\ufffduG\ufffdh\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u0085\ufffd.kW,])\ufffdv\ufffd\ufffd\ufffdtC0\ufffd\ufffda\ufffd6\ufffd F\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffduG\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0085\u0004\ufffd.kW,])\ufffdv\u0015\u000b\ufffd\ufffd\ufffdtC\u00000\ufffd\ufffda\ufffd6\ufffd\u0004 F\u0015\ufffdd\ufffd\ufffd\ufffd\ufffd\u0010\u0018\ufffd\ufffduG\ufffdh\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u0085\ufffd.kW,])\ufffdv\ufffd\ufffd\ufffdtC0\ufffd\ufffda\ufffd6\ufffd F\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffduG\ufffdh\ufffd\ufffd\ufffd\ufffd\ufffd\u7ed8\ufffd\ufffd#\ufffd\ufffd\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��g�r�@��`��DAz^&� ��W:�q�l Ӭ�� P��2�f�I��3��>��Mj&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��g�r�@��`��DAz^&��W:�q�l Ӭ�� P��2�f�I��3��>��Mj&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��g�r�@��`��DAz^&� ��W:�q�l Ӭ�� P��2�f�I��3��>��Mj&�+�/�,�0̨̩� �� /5� w �+3&$ 2}� �V5_Ch�x��'/��ʗ왃4�J= Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.902849390973607, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b1c057d6de6e0d8f0894062cf742e46c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\u001c\ufffd\f\ufffd\ufffdW:\ufffd\u0011q\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\u0003\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\u0005\ufffd\ufffd\ufffdMj\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\u001c\ufffd\f\ufffd\ufffdW:\ufffd\u0011q\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\u0003\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\u0005\ufffd\ufffd\ufffdMj\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 2}\ufffd\f\ufffd\u001e\u0004V5_Ch\ufffdx\ufffd\ufffd'\/\ufffd\ufffd\ufffd\u0297\uc6434\u0019\ufffdJ=", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\u001c\ufffd\f\ufffd\ufffdW:\ufffd\u0011q\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\u0003\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\u0005\ufffd\ufffd\ufffdMj\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9cb3351f0a7f2a82996349add916a53d1b901011", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\u001c\ufffd\f\ufffd\ufffdW:\ufffd\u0011q\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\u0003\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\u0005\ufffd\ufffd\ufffdMj\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\ufffd\ufffd\ufffdW:\ufffdq\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\ufffd\ufffd\ufffdMj&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\u001c\ufffd\f\ufffd\ufffdW:\ufffd\u0011q\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\u0003\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\u0005\ufffd\ufffd\ufffdMj\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdg\ufffdr\ufffd@\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffd\ufffdDAz^&\ufffd\ufffd\ufffdW:*\ufffdq\ufffdl \u04ec\ufffd\ufffd\r\ufffdP\ufffd\ufffd\ufffd2\ufffdf\ufffdI\ufffd\ufffd3\ufffd\ufffd>\u0090\ufffd\ufffd\ufffd\ufffdMj&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��an�S�jMh� ��+�F�t鳀�� ޳ ��9� `%�j�4� ��6q�ko"`��9�gQ�i��G e&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��an�S�jMh� ��+�F�t鳀�� ޳ ��9� `%�j�4� ��6q�ko"`��9�gQ�i��Ge&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��an�S�jMh� ��+�F�t鳀�� ޳ ��9� `%�j�4� ��6q�ko"`��9�gQ�i��G e&�+�/�,�0̨̩� �� /5� w �+3&$ !��v� �]�� l}:�a��<�>f�, Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.838898710993922, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a0658ff5adc6fc7521a4bb1c8252bd89", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003an\ufffdS\ufffdjMh\ufffd\u0017 \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\b\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffd\u000ei\ufffd\ufffdG\u000be\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003an\ufffdS\ufffdjMh\ufffd\u0017 \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\b\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffd\u000ei\ufffd\ufffdG\u000be\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 !\ufffd\ufffdv\b\ufffd\n\ufffd]\ufffd\ufffd\u0007\fl\u0016\u0002}:\ufffda\u0003\u0017\ufffd\ufffd\ufffd<\ufffd>f\ufffd,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003an\ufffdS\ufffdjMh\ufffd\u0017 \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\b\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffd\u000ei\ufffd\ufffdG\u000be\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1ece6f47b6c23c3891c2884dcfaa74abc6fb5c1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003an\ufffdS\ufffdjMh\ufffd\u0017 \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\b\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffd\u000ei\ufffd\ufffdG\u000be\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffdan\ufffdS\ufffdjMh\ufffd \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffdi\ufffd\ufffdGe&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003an\ufffdS\ufffdjMh\ufffd\u0017 \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\b\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffd\u000ei\ufffd\ufffdG\u000be\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffda*n\ufffdS\ufffdjMh\ufffd \ufffd\ufffd+\ufffdF\ufffdt\u9cc0\ufffd\ufffd\r\u07b3\t\ufffd\ufffd9\ufffd `%\ufffdj\ufffd4\ufffd\t\ufffd\ufffd6q\ufffdko\"`\ufffd\ufffd9\ufffdgQ\ufffdi\ufffd\ufffdGe&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��i�?��r16]h:��Úv�+�% 4��o�p��P\�н++�T�U6��\|ɣ�4�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��i�?��r16]h:��Úv�+�% 4��o�p��P\�н++�T�U6��\|ɣ�4�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��i�?��r16]h:��Úv�+�% 4��o�p��P\�н++�T�U6��\|ɣ�4�&�+�/�,�0̨̩� �� /5� w �+3&$ g� b�W,��fc-eLW,��c��W�[G� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.868716663437706, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5b0cd5bddb96d5ad5b71f33e8effd962", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdi\ufffd?\ufffd\u0013\ufffd\ufffd\ufffd\ufffdr16]h\u0001:\u0014\ufffd\u0005\ufffd\u00dav\ufffd+\ufffd%\u0003 4\ufffd\u001a\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\u0007\ufffd\|\u0263\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdi\ufffd?\ufffd\u0013\ufffd\ufffd\ufffd\ufffdr16]h\u0001:\u0014\ufffd\u0005\ufffd\u00dav\ufffd+\ufffd%\u0003 4\ufffd\u001a\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\u0007\ufffd\|\u0263\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\ufffd\rb\ufffdW,\ufffd\ufffd\ufffdfc-eLW,\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd[G\ufffd\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdi\ufffd?\ufffd\u0013\ufffd\ufffd\ufffd\ufffdr16]h\u0001:\u0014\ufffd\u0005\ufffd\u00dav\ufffd+\ufffd%\u0003 4\ufffd\u001a\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\u0007\ufffd\|\u0263\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0685555d9ebcefd062678348522a8d2e1b252bb6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdi\ufffd?\ufffd\u0013\ufffd\ufffd\ufffd\ufffdr16]h\u0001:\u0014\ufffd\u0005\ufffd\u00dav\ufffd+\ufffd%\u0003 4\ufffd\u001a\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\u0007\ufffd\|\u0263\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdr16]h:\ufffd\ufffd\u00dav\ufffd+\ufffd% 4\ufffd\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\ufffd\|\u0263\ufffd4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdi\ufffd?\ufffd\u0013\ufffd\ufffd\ufffd\ufffdr16]h\u0001:\u0014\ufffd\u0005\ufffd\u00dav\ufffd+\ufffd%\u0003 4\ufffd\u001a\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\u0007\ufffd\|\u0263\ufffd4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdr16]h:\ufffd\ufffd\u00dav\ufffd+\ufffd% 4\ufffd\ufffd\ufffdo\ufffdp\ufffd\ufffdP\\\ufffd\u043d++\ufffdT\ufffdU6\ufffd\ufffd\ufffd\|\u0263\ufffd4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��>M�`�L&� Dw�(�%H19f��C�� ?�d��XO�W� v4P� ��c��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��>M�`�L&� Dw�(�%H19f��C�� ?�d��XO�W� v4P� ��c��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��>M�`�L&� Dw�(�%H19f��C�� ?�d��XO�W� v4P� ��c��&�+�/�,�0̨̩� �� /5� w �+3&$ �V��<�Q?�f;��dKП�Q�zM ��9 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.773017072516604, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1f7d4660f0d3d020c4e83dc849ad6d49", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H1\u00199f\ufffd\ufffd\ufffd\u0001C\ufffd\ufffd\ufffd\u001c ?\ufffdd\u0001\ufffd\ufffd\ufffd\ufffdXO\u0016\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\u0006\ufffd\u0016c\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H1\u00199f\ufffd\ufffd\ufffd\u0001C\ufffd\ufffd\ufffd\u001c ?\ufffdd\u0001\ufffd\ufffd\ufffd\ufffdXO\u0016\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\u0006\ufffd\u0016c\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdV\ufffd\u001b\ufffd<\u001d\ufffdQ?\u0014\ufffdf;\ufffd\ufffd\ufffdd\u0004K\u041f\ufffdQ\ufffdzM \ufffd\ufffd9", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H1\u00199f\ufffd\ufffd\ufffd\u0001C\ufffd\ufffd\ufffd\u001c ?\ufffdd\u0001\ufffd\ufffd\ufffd\ufffdXO\u0016\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\u0006\ufffd\u0016c\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "54d7a9bc81eef885464272ae16dee62da9fb9e4e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H1\u00199f\ufffd\ufffd\ufffd\u0001C\ufffd\ufffd\ufffd\u001c ?\ufffdd\u0001\ufffd\ufffd\ufffd\ufffdXO\u0016\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\u0006\ufffd\u0016c\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H19f\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffd ?\ufffdd\ufffd\ufffd\ufffd\ufffdXO\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H1\u00199f\ufffd\ufffd\ufffd\u0001C\ufffd\ufffd\ufffd\u001c ?\ufffdd\u0001\ufffd\ufffd\ufffd\ufffdXO\u0016\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\u0006\ufffd\u0016c\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd>M\ufffd`\ufffdL&\ufffd\n\tDw\ufffd(\ufffd%H19f\ufffd\ufffd\ufffdC\ufffd\ufffd\ufffd ?\ufffdd\ufffd\ufffd\ufffd\ufffdXO\ufffdW\ufffd\r\nv4P\ufffd\t\ufffd\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��뜓�흩�_�2O`2=��sO/&d&OH [Tk��l� �T�I��<�F� Ή��U&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��뜓�흩�_�2O`2=��sO/&d&OH [Tk��l� �T�I��<�F� Ή��U&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��뜓�흩�_�2O`2=��sO/&d&OH [Tk��l� �T�I��<�F� Ή��U&�+�/�,�0̨̩� �� /5� w �+3&$ ��1ɨ$NHёit�=P�T��xx�z�lP p" Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.7622460594464595, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b766da5e636cb037accd547b832b8d0b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ub713\u0006\ufffd\ud769\ufffd_\ufffd2\u0002O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffd\u0006l\u0004\u0000\u0003\ufffd\n\ufffdT\ufffdI\ufffd\ufffd\u0011<\ufffd\u0011F\ufffd\r\u0389\ufffd\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ub713\u0006\ufffd\ud769\ufffd_\ufffd2\u0002O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffd\u0006l\u0004\u0000\u0003\ufffd\n\ufffdT\ufffdI\ufffd\ufffd\u0011<\ufffd\u0011F\ufffd\r\u0389\ufffd\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd1\u0268$NH\u0451it\ufffd=P\ufffdT\ufffd\ufffdx\u0012x\ufffdz\ufffdlP\u001d\u000bp\"", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ub713\u0006\ufffd\ud769\ufffd_\ufffd2\u0002O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffd\u0006l\u0004\u0000\u0003\ufffd\n\ufffdT\ufffdI\ufffd\ufffd\u0011<\ufffd\u0011F\ufffd\r\u0389\ufffd\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dfecfbbfabff47ee88ef97b0093e8b4cce651695", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ub713\u0006\ufffd\ud769\ufffd_\ufffd2\u0002O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffd\u0006l\u0004\u0000\u0003\ufffd\n\ufffdT\ufffdI\ufffd\ufffd\u0011<\ufffd\u0011F\ufffd\r\u0389\ufffd\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ub713\ufffd\ud769\ufffd_\ufffd2O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffdl\ufffd\n\ufffdT\ufffdI\ufffd\ufffd<\ufffdF\ufffd\r\u0389\ufffd\ufffdU&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ub713\u0006\ufffd\ud769\ufffd_\ufffd2\u0002O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffd\u0006l\u0004\u0000\u0003\ufffd\n\ufffdT\ufffdI\ufffd\ufffd\u0011<\ufffd\u0011F\ufffd\r\u0389\ufffd\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ub713\ufffd\ud769\ufffd_\ufffd2*O`2=\ufffd\ufffdsO\/&d&OH [Tk\ufffd\ufffdl\ufffd\n\ufffdT\ufffdI\ufffd\ufffd<\ufffdF\ufffd\r\u0389\ufffd\ufffdU&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��! +aѫ�pWpo�^bqre8�EJ �{��F#N��B��]�t7-J�6��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��! +aѫ�pWpo�^bqre8�EJ �{��F#N��B��]�t7-J�6��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��! +aѫ�pWpo�^bqre8�EJ �{��F#N��B��]�t7-J�6��&�+�/�,�0̨̩� �� /5� w �+3&$ 45T��~?�k��]�(�t��"l"��y��v Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.866121461733153, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "62efb4534ef01a2e56c753e350734ecb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\ufffd\ufffd\u0016\ufffd\u0019\u0003\u0017\u0019!\r+a\u046b\u0017\ufffdpWp\u001eo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffd\u0010t7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\ufffd\ufffd\u0016\ufffd\u0019\u0003\u0017\u0019!\r+a\u046b\u0017\ufffdpWp\u001eo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffd\u0010t7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 45T\ufffd\ufffd~?\ufffdk\ufffd\ufffd\ufffd\ufffd]\ufffd(\ufffdt\ufffd\ufffd\ufffd\"l\"\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffdv", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\ufffd\ufffd\u0016\ufffd\u0019\u0003\u0017\u0019!\r+a\u046b\u0017\ufffdpWp\u001eo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffd\u0010t7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c341859ef4077d82669ef6bdb891039a446e7a9b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\ufffd\ufffd\u0016\ufffd\u0019\u0003\u0017\u0019!\r+a\u046b\u0017\ufffdpWp\u001eo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffd\u0010t7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd!\r+a\u046b\ufffdpWpo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffdt7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001d\ufffd\ufffd\u0016\ufffd\u0019\u0003\u0017\u0019!\r+a\u046b\u0017\ufffdpWp\u001eo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffd\u0010t7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd!\r+a\u046b\ufffdpWpo\ufffd^bqre8\ufffdEJ \ufffd{\ufffd\ufffdF#N\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffd]\ufffdt7-J\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��{A��"�R��W�L�C��r��0 s�Wڏu\��$�� }L �e1� iF&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��{A��"�R��W�L�C��r��0 s�Wڏu\��$�� }L �e1�iF&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��{A��"�R��W�L�C��r��0 s�Wڏu\��$�� }L �e1� iF&�+�/�,�0̨̩� �� /5� w �+3&$ ��"�(mՕ��U>x /)�^��) ��N Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.8015663741688055, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e773c1cfcec3b0a13b9cc1cc8cceeec7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\u0005\b\ufffd\u0014\ufffd\u001b\u0004\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\u0003\ufffd\fiF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\u0005\b\ufffd\u0014\ufffd\u001b\u0004\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\u0003\ufffd\fiF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\"\ufffd(m\u0555\ufffd\u0004\ufffd\ufffdU>x \/)\u001d\u0006\u0017\ufffd^\ufffd\ufffd\ufffd) \ufffd\ufffdN", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\u0005\b\ufffd\u0014\ufffd\u001b\u0004\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\u0003\ufffd\fiF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc0392a5d49f9e9a4423a42c5da125a08b545818", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\u0005\b\ufffd\u0014\ufffd\u001b\u0004\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\u0003\ufffd\fiF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\ufffdiF&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0015\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\u0005\b\ufffd\u0014\ufffd\u001b\u0004\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\u0003\ufffd\fiF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd{A\ufffd\ufffd\"\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdL\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd0 s\ufffdW\u068fu\\\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\t}L \ufffde1\ufffdiF&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��ˇa \|��jT��#��k��\�eV܄�̽ ��'�S� ��j��4b4��C�l>f�a&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ˇa \|��jT��#��k��\�eV܄�̽ ��'�S� ��j��4b4��C�l>f�a&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ˇa \|��jT��#��k��\�eV܄�̽ ��'�S� ��j��4b4��C�l>f�a&�+�/�,�0̨̩� �� /5� w �+3&$ >��&"0P��o��, p�p #�(,�e Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.725753848774575, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d1acb7f86eab5d39ea82cb4785f39181", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u02c7a \|\u0003\ufffd\ufffdjT\ufffd\u0019\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd\u000f \ufffd\ufffd\ufffd\ufffdj\ufffd\u0003\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl\u0002>f\ufffda\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u02c7a \|\u0003\ufffd\ufffdjT\ufffd\u0019\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd\u000f \ufffd\ufffd\ufffd\ufffdj\ufffd\u0003\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl\u0002>f\ufffda\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 >\ufffd\ufffd\ufffd&\u0019\"0P\ufffd\ufffdo\ufffd\ufffd\u0016\ufffd,\t\u0006p\u0000\ufffdp\t#\ufffd(,\u0018\ufffde", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u02c7a \|\u0003\ufffd\ufffdjT\ufffd\u0019\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd\u000f \ufffd\ufffd\ufffd\ufffdj\ufffd\u0003\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl\u0002>f\ufffda\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4830487c9cd98e55f977ca66afd6a07ebbcb3b11", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u02c7a \|\u0003\ufffd\ufffdjT\ufffd\u0019\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd\u000f \ufffd\ufffd\ufffd\ufffdj\ufffd\u0003\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl\u0002>f\ufffda\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\u02c7a \|\ufffd\ufffdjT\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd \ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl>f\ufffda&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u02c7a \|\u0003\ufffd\ufffdjT\ufffd\u0019\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd\u000f \ufffd\ufffd\ufffd\ufffdj\ufffd\u0003\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl\u0002>f\ufffda\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u02c7a \|\ufffd\ufffdjT\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\\\ufffdeV\u0704\ufffd\u033d \ufffd\ufffd'\ufffdS\ufffd \ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd4b4\ufffd\ufffd\ufffd\ufffdC\ufffdl>f\ufffda&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��F�(���\� ۪�a%��,[[E �?zׇޱ��^�h��ט��]��%Ӽ��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��F�(���\� ۪�a%��,[[E �?zׇޱ��^�h��ט��]��%Ӽ��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��F�(���\� ۪�a%��,[[E �?zׇޱ��^�h��ט��]��%Ӽ��&�+�/�,�0̨̩� �� /5� w �+3&$ �V�+ �1��"R��/��<��^�wm�U]w Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.732638380144396, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "283738c88cc44102c6acc20ac1bace55", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd(\ufffd\u001e\ufffd\u0000\ufffd\u0019\ufffd\ufffd\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\u0004\ufffd,[[E\u0014 \ufffd?z\u05c7\u07b1\ufffd\u0019\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\u0000\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd(\ufffd\u001e\ufffd\u0000\ufffd\u0019\ufffd\ufffd\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\u0004\ufffd,[[E\u0014 \ufffd?z\u05c7\u07b1\ufffd\u0019\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\u0000\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdV\ufffd+\r\ufffd1\ufffd\ufffd\"R\ufffd\ufffd\ufffd\/\ufffd\ufffd<\u0017\ufffd\ufffd^\ufffdw\u0003m\ufffdU]w", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd(\ufffd\u001e\ufffd\u0000\ufffd\u0019\ufffd\ufffd\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\u0004\ufffd,[[E\u0014 \ufffd?z\u05c7\u07b1\ufffd\u0019\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\u0000\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "413aa65206fd18dfc261099199f8127d3eb478dd", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd(\ufffd\u001e\ufffd\u0000\ufffd\u0019\ufffd\ufffd\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\u0004\ufffd,[[E\u0014 \ufffd?z\u05c7\u07b1\ufffd\u0019\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\u0000\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffdF\ufffd(\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\ufffd,[[E \ufffd?z\u05c7\u07b1\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffd(\ufffd\u001e\ufffd\u0000\ufffd\u0019\ufffd\ufffd\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\u0004\ufffd,[[E\u0014 \ufffd?z\u05c7\u07b1\ufffd\u0019\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\u0000\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd\u001e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdF\ufffd(\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\\\ufffd \u06ea\ufffda%\ufffd\ufffd\ufffd\ufffd,[[E \ufffd?z\u05c7\u07b1\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffdh\ufffd\ufffd\u05d8\ufffd\ufffd]\ufffd\ufffd%\u04fc\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:46:00 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��#��bMH��L��s_��u��L웟�� .@�1�}᝙ꊝy�&�� }��[�E&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��#��bMH��L��s_��u��L웟�� .@�1�}᝙ꊝy�&�� }��[�E&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��#��bMH��L��s_��u��L웟�� .@�1�}᝙ꊝy�&�� }��[�E&�+�/�,�0̨̩� �� /5� w �+3&$ ��\8ʯ��a�A��(w�' Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.840052879478238, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b3ac649405a82891b4c85b979c26e684", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd\ufffd\u0005\u0017bMH\ufffd\ufffdL\ufffd\ufffds\u0011_\ufffd\ufffd\ufffdu\u0002\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u0019\u1759\ua29dy\u0006\ufffd&\ufffd\ufffd \ufffd\u0007}\ufffd\u0010\ufffd[\u0019\ufffdE\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd\ufffd\u0005\u0017bMH\ufffd\ufffdL\ufffd\ufffds\u0011_\ufffd\ufffd\ufffdu\u0002\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u0019\u1759\ua29dy\u0006\ufffd&\ufffd\ufffd \ufffd\u0007}\ufffd\u0010\ufffd[\u0019\ufffdE\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\\8\u02af\ufffd\ufffda\u001d\ufffdA\ufffd\ufffd\ufffd\u0019\ufffd\ufffd\ufffd(\u001cw\ufffd'", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd\ufffd\u0005\u0017bMH\ufffd\ufffdL\ufffd\ufffds\u0011_\ufffd\ufffd\ufffdu\u0002\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u0019\u1759\ua29dy\u0006\ufffd&\ufffd\ufffd \ufffd\u0007}\ufffd\u0010\ufffd[\u0019\ufffdE\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c00fce5fbf0141b35c29e5e5629fe574952a92a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd\ufffd\u0005\u0017bMH\ufffd\ufffdL\ufffd\ufffds\u0011_\ufffd\ufffd\ufffdu\u0002\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u0019\u1759\ua29dy\u0006\ufffd&\ufffd\ufffd \ufffd\u0007}\ufffd\u0010\ufffd[\u0019\ufffdE\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd#\ufffd\ufffdbMH\ufffd\ufffdL\ufffd\ufffds_\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u1759\ua29dy\ufffd&\ufffd\ufffd \ufffd}\ufffd\ufffd[\ufffdE&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd\ufffd\u0005\u0017bMH\ufffd\ufffdL\ufffd\ufffds\u0011_\ufffd\ufffd\ufffdu\u0002\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u0019\u1759\ua29dy\u0006\ufffd&\ufffd\ufffd \ufffd\u0007}\ufffd\u0010\ufffd[\u0019\ufffdE\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd#\ufffd\ufffdbMH\ufffd\ufffdL\ufffd\ufffds_\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffdL\uc6df\ufffd\ufffd .@\ufffd1\ufffd}\u1759\ua29dy\ufffd&\ufffd\ufffd \ufffd}\ufffd\ufffd[\ufffdE&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:45:59 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload �� 0Dˠ�p�}��<��5q�>��_ ƶWQ��95�J��2��l��dՖI�,� &�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� 0Dˠ�p�}��<��5q�>��_ ƶWQ��95�J��2��l��dՖI�,� &�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� 0Dˠ�p�}��<��5q�>��_ ƶWQ��95�J��2��l��dՖI�,� &�+�/�,�0̨̩� �� /5� w �+3&$ ��#��/��+��B�Bo�XM�;\Ϙ�C Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.899760439084682, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2f6c1c46f530f10063e9de071a5bf8c9", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffd\ufffd\u0013\t0D\u02e0\u0006\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd\u001f5q\ufffd\u0000\u000f>\u001f\ufffd\ufffd_ \u0006\u01b6WQ\ufffd\ufffd95\u0015\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffd\u0007l\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffd\ufffd\u0013\t0D\u02e0\u0006\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd\u001f5q\ufffd\u0000\u000f>\u001f\ufffd\ufffd_ \u0006\u01b6WQ\ufffd\ufffd95\u0015\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffd\u0007l\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd#\ufffd\ufffd\u0015\ufffd\ufffd\/\ufffd\ufffd\ufffd+\ufffd\ufffd\u0010\u0015B\ufffdBo\u001c\ufffdXM\ufffd;\\\u03d8\ufffdC", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffd\ufffd\u0013\t0D\u02e0\u0006\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd\u001f5q\ufffd\u0000\u000f>\u001f\ufffd\ufffd_ \u0006\u01b6WQ\ufffd\ufffd95\u0015\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffd\u0007l\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0353b853c3ea063d62ace51cd1c400b270917e7d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffd\ufffd\u0013\t0D\u02e0\u0006\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd\u001f5q\ufffd\u0000\u000f>\u001f\ufffd\ufffd_ \u0006\u01b6WQ\ufffd\ufffd95\u0015\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffd\u0007l\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\t0D\u02e0\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd5q\ufffd>\ufffd\ufffd_ \u01b6WQ\ufffd\ufffd95\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffd\ufffd\u0013\t0D\u02e0\u0006\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd\u001f5q\ufffd\u0000\u000f>\u001f\ufffd\ufffd_ \u0006\u01b6WQ\ufffd\ufffd95\u0015\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffd\u0007l\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\t0D\u02e0\ufffdp\ufffd}\ufffd\ufffd<\ufffd\ufffd\ufffd5q\ufffd>\ufffd\ufffd_ \u01b6WQ\ufffd\ufffd95\ufffdJ\ufffd\ufffd\ufffd2\ufffd\ufffdl\ufffd\ufffd\ufffdd\u0556I\ufffd,\ufffd &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
14/06/2026 15:45:59 UTC	TCP	2375 · DOCKER	docker	Sonde PostgreSQL postgres probe · via DOCKER:2375 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_docker_api_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��M�@��I5��ĳ돩��(S��A'�so�1 �{:��$�a��0� b�� y;[`d&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��M�@��I5��ĳ돩��(S��A'�so�1 �{:��$�a��0� b��y;[`d&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��M�@��I5��ĳ돩��(S��A'�so�1 �{:��$�a��0� b�� y;[`d&�+�/�,�0̨̩� �� /5� w �+3&$ 08�T��aJ�5��軴 ^��ǜ��@ly� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.797475553965089, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "BR", "dst_port": 2375, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 40, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2ccd4c4fc8fd5c686e5688a02e374628fbd51708", "event_fingerprint": "00a875d783a0dbdbe0de1f97f4b47b47ab6b3d3e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "BR", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "13a881be1d5fbf9393e04b5cd2ef2f2c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 40 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015M\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\u0013\ufffd\b(S\ufffd\ufffdA'\ufffdso\ufffd1 \u0019\ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u000b\u000e\ufffdy;[`d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015M\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\u0013\ufffd\b(S\ufffd\ufffdA'\ufffdso\ufffd1 \u0019\ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u000b\u000e\ufffdy;[`d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 08\ufffdT\ufffd\ufffdaJ\ufffd5\ufffd\ufffd\u8ef4\u001b\n^\ufffd\ufffd\u01dc\ufffd\ufffd\ufffd@\u0013ly\ufffd\u0013", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015M\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\u0013\ufffd\b(S\ufffd\ufffdA'\ufffdso\ufffd1 \u0019\ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u000b\u000e\ufffdy;[`d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bede42e6812b9742afb5fd36bbb7b1be65347d73", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015M\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\u0013\ufffd\b(S\ufffd\ufffdA'\ufffdso\ufffd1 \u0019\ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u000b\u000e\ufffdy;[`d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffdM\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\ufffd(S\ufffd\ufffdA'\ufffdso\ufffd1 \ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy;[`d&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0015M\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\u0013\ufffd\b(S\ufffd\ufffdA'\ufffdso\ufffd1 \u0019\ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\u0003\ufffd\ufffd\ufffd\ufffd\u000b\u000e\ufffdy;[`d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "postgres probe \u00b7 via DOCKER:2375 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdM\ufffd@\ufffd\ufffd\ufffdI5\ufffd\ufffd\ufffd\u0133\ub3e9\ufffd\ufffd(S\ufffd\ufffdA'\ufffdso\ufffd1 \ufffd{:\ufffd\ufffd\ufffd$\ufffda\ufffd\ufffd\ufffd\ufffd0\ufffd\rb\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy;[`d&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_docker_api_probe", "tls_clienthello" ], "asn_dc_heuristic": true }

34.95.158.212

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence