Renseignement sur les menaces

France

35.180.87.209

FAI Amazon.com, Inc. Première vue 18/06/2026 00:35 UTC Dernière vue 18/06/2026 00:35 UTC Risque Élevé

Période analysée : 2026-05-20 → 2026-06-19

Activité suspecte — risque 58/100 (Moyen) — MITRE T1046 — confiance 100 % — via HTTP — multi-protocole (8 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 67/100 Élevé

Première observation 18/06/2026 00:35 UTC

Dernière observation 18/06/2026 00:35 UTC

Événements (période) 53

MITRE ATT&CK principal T1046 47 occurrences

Activité suspecte — risque 58/100 (Moyen) — MITRE T1046 — confiance 100 % — via HTTP — multi-protocole (8 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 84 · Bonus corrélation +14 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 16509 · 35.180.0.0/16 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 53 événements sur la période pour cette IP.

18.218.118.203 Sonde PostgreSQL 19/06/2026 19:29 UTC
18.116.101.220 Sonde PostgreSQL 19/06/2026 19:27 UTC
18.226.231.105 Sonde PostgreSQL 19/06/2026 19:26 UTC
16.58.56.214 Sonde PostgreSQL 19/06/2026 19:11 UTC
98.80.4.70 Tentative d'exploit 19/06/2026 18:59 UTC
3.129.187.38 Sonde PostgreSQL 19/06/2026 18:58 UTC
3.121.228.48 Sonde API Docker 19/06/2026 18:57 UTC
18.97.26.36 vnc bruteforce 19/06/2026 18:55 UTC

Événements (filtres)

Première observation

18/06/2026 00:35 UTC

Dernière observation

18/06/2026 00:35 UTC

Dernière activité (filtres)

18/06/2026 00:35 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 45 CPANEL SSL TCP 1 CPANEL WHM TCP 1

HTTP

CPANEL SSL

CPANEL WHM

Géolocalisation

Origine réseau déclarée

France unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Amazon.com, Inc. 0 Port 2083 cpanel_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via HTTP:2086 · (reconnaissance) · → /login/

Détails protocole

Méthode: GET
Chemin: /login/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 S…

Aperçu payload

GET /login/ HTTP/1.1 Host: 62.3.50.33:2086 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li

Port / service

2086 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 tag(s) WAF

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +14

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

53 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

53 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 00:35:18 UTC	TCP	2086 · HTTP	http	Scan de ports port scan syn · via HTTP:2086 · (reconnaissance) · → /login/	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /login/ UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_login Cible HTTP GET /login/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2086 Chemin / cible /login/ Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) cPanel login path Ligne de requête `GET /login/ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /login/ HTTP/1.1 Host: 62.3.50.33:2086 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /login/ HTTP/1.1 Host: 62.3.50.33:2086 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Accept-Encoding: gzip Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "c70dc60c37e6bc871d82f3db16c89445a04f5577", "http_target_hash": "beca565932dffc1fab4432c056fac7fc3acb1027", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 195, "payload_entropy": 5.386639349109053, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b4f27cd9779247583f495b7b909714c708fd6cd7", "event_fingerprint": "8460036f8a91ee55a657bc5e502e4e974f375ec2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0618" ], "matched_pattern_names": [ "cPanel login path" ], "pattern_ids": [ "pat-0618" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 58, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "e1b1bc7a8e2ffb0ab8949f256c29602c", "path_pattern_hash": "846b3460b625ad1b1254c9016233442b" }, "target_context": { "dst_port": 2086, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/login\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login\/ HTTP\/1.1", "request_sample": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/login\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/login\/ HTTP\/1.1", "request_sample": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ea2d054f459879abcd415350fd4c1068680424b", "protocol_details": { "http_method": "GET", "http_path": "\/login\/", "request_line": "GET \/login\/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2086, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:2086 \u00b7 (reconnaissance) \u00b7 \u2192 \/login\/", "target_port_label": "2086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 15, "risk_score": 58, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2086, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/login\/", "request_line": "GET \/login\/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2086, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2086 \u00b7 (reconnaissance) \u00b7 \u2192 \/login\/", "evidence_snippet": "GET \/login\/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "2086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_login" ], "asn_dc_heuristic": true }
18/06/2026 00:35:17 UTC	TCP	2086 · HTTP	http	Scan de ports port scan syn · via HTTP:2086 · (reconnaissance) · → /login/	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole POST /login/ UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950326:rce-0 950327:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP POST /login/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 2086 Chemin / cible /login/ Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 921130 duplicate CL cPanel login path Ligne de requête `POST /login/?login_only=1 HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) POST /login/?login_only=1 HTTP/1.1 Host: 62.3.50.33:2086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) POST /login/?login_only=1 HTTP/1.1 Host: 62.3.50.33:2086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Content-Length: 20 Content-Type: application/x-www-form-urlencode Meta JSON brut { "http_header_count": 5, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "c70dc60c37e6bc871d82f3db16c89445a04f5577", "http_target_hash": "8867d3379ac5bf62897f1378b18a6965af39ff3a", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 304, "payload_entropy": 5.479521155388923, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2086, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ea9b91e94e7a27baa27d6c9dfd6e77234f59c8c0", "event_fingerprint": "2dab72b9dc102e07e913a196cc7a683cdd11a34b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0842", "pat-0618" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "cPanel login path" ], "pattern_ids": [ "pat-0842", "pat-0618" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "ffaa3160a4549b0d2247058ccc679bee", "path_pattern_hash": "846b3460b625ad1b1254c9016233442b" }, "target_context": { "dst_port": 2086, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "POST", "path": "\/login\/", "query_string": "login_only=1", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950327:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "POST \/login\/?login_only=1 HTTP\/1.1", "request_sample": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nContent-Length: 20\r\nContent-Type: application\/x-www-form-urlencode", "payload_snippet": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "POST", "path": "\/login\/", "query_string": "login_only=1", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950327:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "POST \/login\/?login_only=1 HTTP\/1.1", "request_sample": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nContent-Length: 20\r\nContent-Type: application\/x-www-form-urlencode", "payload_snippet": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3cc8a2e87337af0f4f0ea2922543ec611ad1dc99", "protocol_details": { "http_method": "POST", "http_path": "\/login\/", "request_line": "POST \/login\/?login_only=1 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2086, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "attack_vector": "port scan syn \u00b7 via HTTP:2086 \u00b7 (reconnaissance) \u00b7 \u2192 \/login\/", "target_port_label": "2086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2086, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "POST", "http_path": "\/login\/", "request_line": "POST \/login\/?login_only=1 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2086, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2086 \u00b7 (reconnaissance) \u00b7 \u2192 \/login\/", "evidence_snippet": "POST \/login\/?login_only=1 HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "target_port_label": "2086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950327:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_login" ], "asn_dc_heuristic": true }
18/06/2026 00:35:15 UTC	TCP	2086	—	Scan de ports port scan syn · port 2086 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2086 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "FR", "dst_port": 2086, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "7461ef7ab1c7ab6a3c4a9e619df57905c7fd91ec", "event_fingerprint": "d4b04e5049a55cc0a97c40efc93b31751eaa746e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2086, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae75b4f52310efc3171dab716dd194bffba13dcc", "protocol_details": { "port": 2086 }, "attack_vector": "port scan syn \u00b7 port 2086 \u00b7 (reconnaissance)", "target_port_label": "2086", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2086, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "port": 2086 }, "attack_vector": "port scan syn \u00b7 port 2086 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2086", "emulator_service": null, "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.ssh/id_ed25519	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.ssh/id_ed25519 UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.ssh/id_ed25519 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.ssh/id_ed25519 Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred SSH private key ed25519 Ligne de requête `GET /.ssh/id_ed25519 HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_ed25519 HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (K Requête brute (extrait) GET /.ssh/id_ed25519 HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_ed25519", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "306d98c7b24d1b2bfbec725833a0037a5418aa2d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.393215015442902, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "40230c97ed9abee35ef0ba31637e125db0e5072f", "event_fingerprint": "f62f109587312167b38dc07e61c7b55747cdbcbb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0492" ], "matched_pattern_names": [ "Cred SSH private key ed25519" ], "pattern_ids": [ "pat-0492" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "f569d6d0bee6f2aac9a7f0b125c25929", "path_pattern_hash": "d6c157a7b396f45943e49312666b9456" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/.ssh\/id_ed25519", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "request_sample": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/.ssh\/id_ed25519", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "request_sample": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (K", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72f1556ca5456f1c1a9f26849ed495025e17b030", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_ed25519", "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (K", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.ssh\/id_ed25519", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_ed25519", "request_line": "GET \/.ssh\/id_ed25519 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.ssh\/id_ed25519", "evidence_snippet": "GET \/.ssh\/id_ed25519 HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (K", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.npmrc	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.npmrc UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.npmrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.npmrc Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred NPM credentials Ligne de requête `GET /.npmrc HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Fire Requête brute (extrait) GET /.npmrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "npmrc", "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e47e720fc12387d6362d15cf56ef7f004f4a216f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 183, "payload_entropy": 5.212846348728628, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "e2cadab59eb2e929e9aad1ad4858bf5efe71a67f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0481" ], "matched_pattern_names": [ "Cred NPM credentials" ], "pattern_ids": [ "pat-0481" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "236ad1e75a181db5ec054417503d8bc0", "path_pattern_hash": "7643d037b83b1eb932659ed1ccb7e4fe" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fire", "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/.npmrc", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.npmrc HTTP\/1.1", "request_sample": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fire", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b24f6ffe7a647060d0bd7111a6ad68fa93c7340", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fire", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.npmrc", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.npmrc", "request_line": "GET \/.npmrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.npmrc", "evidence_snippet": "GET \/.npmrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fire", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.netrc	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.netrc UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 net_web_probe Cible HTTP GET /.netrc TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.netrc Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Netrc credentials LFI Double-dot bypass Ligne de requête `GET /.netrc HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html Requête brute (extrait) GET /.netrc HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "netrc", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b7551dc22135c68ecee0a4d011ec4c0b7c771e06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 175, "payload_entropy": 5.083914302912819, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2fe70fb9303e1d68e26870a4f0f7b924c7dd8f1a", "event_fingerprint": "f8d7a5d777d965793ce3d5523871b5ca6f2e2580", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0482", "pat-0103" ], "matched_pattern_names": [ "Cred Netrc credentials", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0482", "pat-0103" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "4a7ba321697185624d062c12759d9630", "path_pattern_hash": "5fa317981ba713f7d39164540951d6bb" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html", "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html", "evidence": { "method": "GET", "path": "\/.netrc", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.netrc HTTP\/1.1", "request_sample": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae1fc1cda6527eb77e1afbbeb8402c856ae58ef0", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.netrc", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.netrc", "request_line": "GET \/.netrc HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.netrc", "evidence_snippet": "GET \/.netrc HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /proc/self/environ	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /proc/self/environ UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950264:lfi-1 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /proc/self/environ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /proc/self/environ Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 930140 proc self LFI path /proc/self/environ Ligne de requête `GET /proc/self/environ HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF lfi-1 rce-0 nosqli-3 Payload (extrait) GET /proc/self/environ HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/ Requête brute (extrait) GET /proc/self/environ HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": null, "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "147ddb4907cb3b80b049d5af3a19704c5e4646c7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 231, "payload_entropy": 5.364796063942384, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "32a93d0eacda7dd7df412363d494ad173286588f", "event_fingerprint": "45490877643f7c51965c887674e46820a1a355e2", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0714", "pat-0140" ], "matched_pattern_names": [ "CRS 930140 proc self", "LFI path \/proc\/self\/environ" ], "pattern_ids": [ "pat-0714", "pat-0140" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "8a08fcb93be22c0464688eba98c6f1d2", "path_pattern_hash": "915db09685f7a87f293e0b20df27c822" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/", "method": "GET", "path": "\/proc\/self\/environ", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950264:lfi-1", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-1", "rce-0", "nosqli-3" ], "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "request_sample": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/", "evidence": { "method": "GET", "path": "\/proc\/self\/environ", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950264:lfi-1", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-1", "rce-0", "nosqli-3" ], "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "request_sample": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48db95984d5f7d92d355acf4b9f3655fb8da751a", "protocol_details": { "http_method": "GET", "http_path": "\/proc\/self\/environ", "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/proc\/self\/environ", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/proc\/self\/environ", "request_line": "GET \/proc\/self\/environ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/proc\/self\/environ", "evidence_snippet": "GET \/proc\/self\/environ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950264:lfi-1", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /appsettings.json	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /appsettings.json UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /appsettings.json Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /appsettings.json HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 ( Requête brute (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1bb70c4d477e16ecbd1bc700e3f66fae61eb4898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.355202377667453, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3044deb80ff6625aca4621a90d52ad1f1b7b4b73", "event_fingerprint": "ffd22a127f03e89d505ab785c0df6115a9b341b7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "9ac7a4ceffaeb1c2cd7f703ee2fc0294", "path_pattern_hash": "8a0b1852fc2be645a82e96b3e5fdd755" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (", "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/appsettings.json", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "306c5a0996dd1868fb04dc069354e5115c2d5ae7", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/appsettings.json", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/appsettings.json", "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /web.config	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /web.config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_web_probe Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 ( Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.39059582036976, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4917e44826278ff599b1bdfd14c03f2da18081de", "event_fingerprint": "ad4a5ea4232ca17290700f0ac3cf3112b7021f45", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "482c1842f45611a8e33fa97b1630b6e0", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3b751163f2d0d71e8d702d3ec66908e7105ee71e", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /application.properties	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /application.properties UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /application.properties Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Requête brute (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "properties", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e3fd46d86bb2ad69319106117f93875bff130862", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.190465848477853, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "8c8dc61efed020761b905b3d8bd8a83c1a9aa231", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "6a730413eafffdf178851437b956fd4e", "path_pattern_hash": "8c4feac6bcb94afde681db33f96763e3" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) ", "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "evidence": { "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "458f28f914cce12b5622ce6bc238df91be3f5e3a", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.properties", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.properties", "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0)", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /application.yml	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /application.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /application.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /application.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605 Requête brute (extrait) GET /application.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "4f8de184f8ed7de640ee9993663e3ccef9f72770", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b5819b2c14e2e66f80448b9cafafa1033e7b1cec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.344838648914613, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3044deb80ff6625aca4621a90d52ad1f1b7b4b73", "event_fingerprint": "869e0dcd47a23908f002c38421e2a7f0e49d808b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "428433546e1408b0c726846a5d8a3b70", "payload_hash": "dce4c3c566410d9bed4ec57acfb9de53", "path_pattern_hash": "18101755b44cc6d8b270134bcce32edf" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605", "method": "GET", "path": "\/application.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605", "evidence": { "method": "GET", "path": "\/application.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c27dc36b3b3723cdb675755758aed3c1b76e57af", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.yml", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.yml", "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.kube/config	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.kube/config UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /.kube/config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.kube/config Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET .kube/config Probe /.kube/config Ligne de requête `GET /.kube/config HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.kube/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 Requête brute (extrait) GET /.kube/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "kube\/config", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "6de07e41ec0c05d5881cf1a65cdbd8753277f973", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.3942504948081, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "341ac2e411800b1811620dc2f6102cfc7d8f5a48", "event_fingerprint": "8fbf23e61e88a52cc8f82aed6581a4b66dd80c2b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0593", "pat-0203" ], "matched_pattern_names": [ "ET .kube\/config", "Probe \/.kube\/config" ], "pattern_ids": [ "pat-0593", "pat-0203" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "ea5c3be90bb4907c3baa89b42f3343fd", "path_pattern_hash": "7ef33d76bc8de32d08d882a9ac8291f3" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "method": "GET", "path": "\/.kube\/config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.kube\/config HTTP\/1.1", "request_sample": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.kube\/config", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.kube\/config HTTP\/1.1", "request_sample": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8a4f50def420a90c9d12655214c80f1eb76f59df", "protocol_details": { "http_method": "GET", "http_path": "\/.kube\/config", "request_line": "GET \/.kube\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.kube\/config", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.kube\/config", "request_line": "GET \/.kube\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.kube\/config", "evidence_snippet": "GET \/.kube\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /terraform.tfstate	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /terraform.tfstate UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /terraform.tfstate TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /terraform.tfstate Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /terraform.tfstate HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /terraform.tfstate HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 Requête brute (extrait) GET /terraform.tfstate HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "tfstate", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "baeffa95e40dcec721558e2c8524eaa2244715f0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 231, "payload_entropy": 5.356478371471296, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "16889c90e169ffffb31ae573e71dc0df011a3f58", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "e03e6b01ef25d6dc11bafcc2ae7c602d", "path_pattern_hash": "ebaf0256ce61b0ddbaeff437c8371be6" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 ", "method": "GET", "path": "\/terraform.tfstate", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate HTTP\/1.1", "request_sample": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/terraform.tfstate", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate HTTP\/1.1", "request_sample": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0f2bd20786815d6bbb151b0f25d088551ff58585", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate", "request_line": "GET \/terraform.tfstate HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate", "request_line": "GET \/terraform.tfstate HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate", "evidence_snippet": "GET \/terraform.tfstate HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:14 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /terraform.tfstate.backup	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /terraform.tfstate.backup UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /terraform.tfstate.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /terraform.tfstate.backup Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /terraform.tfstate.backup HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /terraform.tfstate.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleW Requête brute (extrait) GET /terraform.tfstate.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "4f8de184f8ed7de640ee9993663e3ccef9f72770", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "2045b4549caf9eb0850a66a9d5c395e9b74b671c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.364457155459442, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "90b89105e509aa19ca2f5358167dfd894bcafb33", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "428433546e1408b0c726846a5d8a3b70", "payload_hash": "e48ac0230a1da6a9004086df91a98984", "path_pattern_hash": "939d325e377d4b9518ed197b24d27f8c" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleW", "method": "GET", "path": "\/terraform.tfstate.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "request_sample": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleW", "evidence": { "method": "GET", "path": "\/terraform.tfstate.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "request_sample": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleW", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ab30539ce79583b19edf2880e994a0dd793b455", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate.backup", "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleW", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate.backup", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfstate.backup", "request_line": "GET \/terraform.tfstate.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/terraform.tfstate.backup", "evidence_snippet": "GET \/terraform.tfstate.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleW", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:13 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /data/dump.sql	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /data/dump.sql UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 25 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /data/dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /data/dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Double-dot bypass LFI SQL dump file Ligne de requête `GET /data/dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /data/dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/b Requête brute (extrait) GET /data/dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "c453a27aa17082becb43aa6326b93f0b767d30f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 182, "payload_entropy": 5.151700268683715, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 7, "anomaly_count": 0, "campaign_key": "bc41fb3579fe21e2cdf4af6568d7ec6f642cb900", "event_fingerprint": "0fb053993926a6b8a45ee9550454cf43dec1bc64", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0103", "pat-0132" ], "matched_pattern_names": [ "LFI Double-dot bypass", "LFI SQL dump file" ], "pattern_ids": [ "pat-0103", "pat-0132" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "1ce99dbfdce5dafab09491f511968efa", "path_pattern_hash": "a0cab5aab5a59924fac704ee0e8419a1" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "method": "GET", "path": "\/data\/dump.sql", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/data\/dump.sql HTTP\/1.1", "request_sample": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "evidence": { "method": "GET", "path": "\/data\/dump.sql", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/data\/dump.sql HTTP\/1.1", "request_sample": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a037a641ad53c331fe47ea7c77b88db07696b7a", "protocol_details": { "http_method": "GET", "http_path": "\/data\/dump.sql", "request_line": "GET \/data\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/data\/dump.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/data\/dump.sql", "request_line": "GET \/data\/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/data\/dump.sql", "evidence_snippet": "GET \/data\/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/b", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +14 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:13 UTC	TCP	2083 · HTTP	http	Sonde fichier credential / clé credential file probe · via HTTP:2083 · (tentative d'exploit) · → /.ssh/id_rsa	Élevée	Moyen · 63
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.ssh/id_rsa UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_id_rsa Cible HTTP GET /.ssh/id_rsa TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.ssh/id_rsa Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier credential/clé · Règle WAF « rce-0 » · Sonde clé SSH / id_rsa · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 63 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-credential-file Http Id Rsa pat-0490 pat-0495 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Cred SSH key in .ssh Cred SSH private key id_rsa Ligne de requête `GET /.ssh/id_rsa HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100 Requête brute (extrait) GET /.ssh/id_rsa HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ssh\/id_rsa", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "d951dfd854ab99392c126a2628ec52b85415a678", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.248017933352825, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 63, "tag_count": 6, "anomaly_count": 0, "campaign_key": "c6a831a73cbd7b8fa87e3e1d685925c08d790046", "event_fingerprint": "fe63d1e92fbf41cd1d9e85871eddbdedc277cb3f", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 393, "precision_signals": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0490", "pat-0495" ], "matched_pattern_names": [ "Cred SSH key in .ssh", "Cred SSH private key id_rsa" ], "pattern_ids": [ "pat-0490", "pat-0495" ], "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 14 }, "named_classification_skipped": false, "classification_parent": "lfi_attack", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "77505e1590147c1a802ded38ea988050", "path_pattern_hash": "6eca2c923ad05fff3eba197c659999e2" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 63 }, "payload_preview": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100", "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100", "evidence": { "method": "GET", "path": "\/.ssh\/id_rsa", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "request_sample": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100", "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "41bd33d2ae4a2b9cb8052b79545fba5391e6ec56", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100", "attack_vector": "credential file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier credential\/cl\u00e9 \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde cl\u00e9 SSH \/ id_rsa \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 82, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 63, "correlation_boost": 14 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 63, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-credential-file", "INT-http_id_rsa", "pat-0490", "pat-0495" ], "tags_summary_labels_fr": [ "SIGMA-web-credential-file", "Http Id Rsa", "pat-0490", "pat-0495" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.ssh\/id_rsa", "request_line": "GET \/.ssh\/id_rsa HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "credential file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.ssh\/id_rsa", "evidence_snippet": "GET \/.ssh\/id_rsa HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_id_rsa", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:13 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /backup/database.sql	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /backup/database.sql UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_backup_file_scan Cible HTTP GET /backup/database.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /backup/database.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /backup/database.sql HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /backup/database.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit Requête brute (extrait) GET /backup/database.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "sql", "http_ua_hash": "4f8de184f8ed7de640ee9993663e3ccef9f72770", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "a3946b3816af570287497b31097388dc39031cc4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.376689194548605, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 7, "anomaly_count": 0, "campaign_key": "fcc198c79c6902b681bf975b9a34984a67ef49ef", "event_fingerprint": "e18178da2a7e814c10c738d8148a10c2becc1549", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "428433546e1408b0c726846a5d8a3b70", "payload_hash": "6f590e350db5ca4d1039a92f5c086398", "path_pattern_hash": "e917b694421874317608b74124d16ed9" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "method": "GET", "path": "\/backup\/database.sql", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/database.sql HTTP\/1.1", "request_sample": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "evidence": { "method": "GET", "path": "\/backup\/database.sql", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/backup\/database.sql HTTP\/1.1", "request_sample": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ab270a3f51c582a5c6d47aefbac97a84f2f3f4e5", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/database.sql", "request_line": "GET \/backup\/database.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup\/database.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/backup\/database.sql", "request_line": "GET \/backup\/database.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup\/database.sql", "evidence_snippet": "GET \/backup\/database.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "http_probe_backup", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:12 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /app/config/parameters.yml	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /app/config/parameters.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /app/config/parameters.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /app/config/parameters.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /app/config/parameters.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi Requête brute (extrait) GET /app/config/parameters.yml HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "9315af92496b848eed5ed988a938df67ee36a260", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "cc8382c07ae1d99dcd8bb8a9e6a6c1ada2d7d586", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 247, "payload_entropy": 5.369900952386539, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "341ac2e411800b1811620dc2f6102cfc7d8f5a48", "event_fingerprint": "47b544297984ae8adadfc92fe78d3bf601968970", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40b58db0069d1a73ee9d23fa54874615", "payload_hash": "ccd724862545662e3bb9de5991c1e26f", "path_pattern_hash": "14e465936c1b9cf9455ba711f44752e2" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "evidence": { "method": "GET", "path": "\/app\/config\/parameters.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "request_sample": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7678e4191e9fe2a646b97596b441f443c671931", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/app\/config\/parameters.yml", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/app\/config\/parameters.yml", "request_line": "GET \/app\/config\/parameters.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/app\/config\/parameters.yml", "evidence_snippet": "GET \/app\/config\/parameters.yml HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKi", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:12 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.htpasswd	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.htpasswd UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950522:leak-9 http_sensitive_path Cible HTTP GET /.htpasswd TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.htpasswd Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Apache htpasswd LFI Apache htpasswd Ligne de requête `GET /.htpasswd HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-9 Payload (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 ( Requête brute (extrait) GET /.htpasswd HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "htpasswd", "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "ade2de8d21551efb00f221b43821b4acb26b6f79", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.393351617210067, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6eae0609b2e7c6f10ea48478a1b6942f19922cd7", "event_fingerprint": "76f8bf04b2521e15f7276e1a7fee8973bedcabd4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0469", "pat-0108" ], "matched_pattern_names": [ "Cred Apache htpasswd", "LFI Apache htpasswd" ], "pattern_ids": [ "pat-0469", "pat-0108" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "05c25067de1191eb90dd106cdf2f3de2", "path_pattern_hash": "229c0a4c773f5f9eeec1d298c58088ee" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/.htpasswd", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-9" ], "request_line": "GET \/.htpasswd HTTP\/1.1", "request_sample": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd01fa94b9fc038f32f8b077076ab3149553026a", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.htpasswd", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/.htpasswd", "request_line": "GET \/.htpasswd HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.htpasswd", "evidence_snippet": "GET \/.htpasswd HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950522:leak-9", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:12 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /dump.sql	Élevée	Moyen · 50
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /dump.sql UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_backup_file_scan http_backup_path Cible HTTP GET /dump.sql TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /dump.sql Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 50 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI SQL dump file Ligne de requête `GET /dump.sql HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 ( Requête brute (extrait) GET /dump.sql HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "sql", "http_ua_hash": "4f8de184f8ed7de640ee9993663e3ccef9f72770", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1fc830e90e8ffa94d6b83234ae2ec2ba7b5108ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 221, "payload_entropy": 5.393770538897878, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 50, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4f39fe0e735d71db4dfe53fa2e68a21c8393c767", "event_fingerprint": "0ed0b26da15299b07bc2ca3b97b42a86e9c662be", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0132" ], "matched_pattern_names": [ "LFI SQL dump file" ], "pattern_ids": [ "pat-0132" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "428433546e1408b0c726846a5d8a3b70", "payload_hash": "ebd7a3838c6afba4c0922c18cc6976cc", "path_pattern_hash": "2debf0ced7dd0a1204edf7447a578b8e" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (", "method": "GET", "path": "\/dump.sql", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dump.sql HTTP\/1.1", "request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (", "evidence": { "method": "GET", "path": "\/dump.sql", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/dump.sql HTTP\/1.1", "request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6ee14e0e135749fb589806b1764b5cce677e2da", "protocol_details": { "http_method": "GET", "http_path": "\/dump.sql", "request_line": "GET \/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 50, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/dump.sql", "request_line": "GET \/dump.sql HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4 Safari\/605.1.15", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql", "evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +14 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_backup_file_scan", "http_backup_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:11 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /config/config.php	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /config/config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /config/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /config/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /config/config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "9315af92496b848eed5ed988a938df67ee36a260", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b8ef185fa629a44e5f886526b7a4543e57899abc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.3402063177962145, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a9baa66e73783103ca22da6a1d8fad5077e22708", "event_fingerprint": "93142d1695f40410cfe2bf781cd6d6764240fa48", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40b58db0069d1a73ee9d23fa54874615", "payload_hash": "de72d816693d3f9a2c74668de7af969f", "path_pattern_hash": "72260f34617018282328c71c36115b23" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/config\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.php HTTP\/1.1", "request_sample": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/config\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/config.php HTTP\/1.1", "request_sample": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8b62d200f88b47497c22728dfc6d83a2f07dcd7", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.php", "request_line": "GET \/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/config.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/config\/config.php", "request_line": "GET \/config\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/config.php", "evidence_snippet": "GET \/config\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:11 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /includes/config.php	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /includes/config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /includes/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /includes/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Generic config.php Ligne de requête `GET /includes/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /includes/config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /includes/config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "38a8cbd588ed9ce06370fbc4d33a68e72d646fef", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 227, "payload_entropy": 5.37355129487294, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "694e606afa687e9647330b201a3dda470eed629e", "event_fingerprint": "334f66406f0e269e3d7e2c13df0f291b40eb1925", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0118" ], "matched_pattern_names": [ "LFI Generic config.php" ], "pattern_ids": [ "pat-0118" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "d270608fc1e767f66ef2d8fa89f7aa5e", "path_pattern_hash": "547c4c5ee35589007f3905ba2ace0f66" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/includes\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/includes\/config.php HTTP\/1.1", "request_sample": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/includes\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/includes\/config.php HTTP\/1.1", "request_sample": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c29947bd4b250ef994877cc8a8a09d581b111af7", "protocol_details": { "http_method": "GET", "http_path": "\/includes\/config.php", "request_line": "GET \/includes\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/includes\/config.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/includes\/config.php", "request_line": "GET \/includes\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/includes\/config.php", "evidence_snippet": "GET \/includes\/config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:11 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /config/database.php	Élevée	Moyen · 58
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /config/database.php UA Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_config Cible HTTP GET /config/database.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /config/database.php Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 58 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /config/database.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /config/database.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 F Requête brute (extrait) GET /config/database.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e700e04925bb0dece8be41de92b622f2cd49e098", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 186, "payload_entropy": 5.297528099100499, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "b10b61413cbc13042845a951be670fb61ba4c0d2", "event_fingerprint": "0b8d754c3f9c669790da70ca89317f706b894750", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0", "payload_hash": "9af6636bfd7e2e1386cdaf87b5a6af52", "path_pattern_hash": "a199a05002f19c0fd144e669de1d6b8d" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 F", "method": "GET", "path": "\/config\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.php HTTP\/1.1", "request_sample": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 F", "evidence": { "method": "GET", "path": "\/config\/database.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/config\/database.php HTTP\/1.1", "request_sample": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 F", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "43a315335e2c454178e99cc5af8042ffc61e47d3", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.php", "request_line": "GET \/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 F", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/database.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 58, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/config\/database.php", "request_line": "GET \/config\/database.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/database.php", "evidence_snippet": "GET \/config\/database.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 F", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +14 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_config", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:10 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /phpinfo.php	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /phpinfo.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950614:phpinfo http_probe_phpinfo Cible HTTP GET /phpinfo.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /phpinfo.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /phpinfo.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 phpinfo Payload (extrait) GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Requête brute (extrait) GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1808fe5d8b86eb029606d3db28531c6ec6a82fb5", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 188, "payload_entropy": 5.225712651547952, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7121082186cebe591ce2f30affe4295843c70402", "event_fingerprint": "a59ada05a54348c2254482565f9f70c7036e37e4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "50bbda08c5ab763fe50fe4a2d3589c9c", "path_pattern_hash": "a405682e93a85e32d41b3615cc2d6365" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "method": "GET", "path": "\/phpinfo.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950614:phpinfo" ], "waf_rule_names": [ "rce-0", "nosqli-3", "phpinfo" ], "request_line": "GET \/phpinfo.php HTTP\/1.1", "request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "evidence": { "method": "GET", "path": "\/phpinfo.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950614:phpinfo" ], "waf_rule_names": [ "rce-0", "nosqli-3", "phpinfo" ], "request_line": "GET \/phpinfo.php HTTP\/1.1", "request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99bd6ba980c3218f2d6bcc4fe56699ebd700bd2a", "protocol_details": { "http_method": "GET", "http_path": "\/phpinfo.php", "request_line": "GET \/phpinfo.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/phpinfo.php", "request_line": "GET \/phpinfo.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php", "evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 1.79, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950614:phpinfo", "http_probe_phpinfo", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:10 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /info.php	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /info.php UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /info.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /info.php Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /info.php HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /info.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, l Requête brute (extrait) GET /info.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "068dbe886744caa8c17ff08053d93aa8001f5bdd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 222, "payload_entropy": 5.354311874850936, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "5b88839a5c7811ca4eb27ad86344b70980bc607d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "1bc5414c53446c0c37e0a65da8353014", "path_pattern_hash": "f698c64f9b430a098de679bb708946c6" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "method": "GET", "path": "\/info.php", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/info.php HTTP\/1.1", "request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "evidence": { "method": "GET", "path": "\/info.php", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/info.php HTTP\/1.1", "request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "76f14c19860a42eb2b89bc1bad1043075553a45f", "protocol_details": { "http_method": "GET", "http_path": "\/info.php", "request_line": "GET \/info.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/info.php", "request_line": "GET \/info.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php", "evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, l", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +18 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 1.76, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:10 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /actuator/logfile	Élevée	Moyen · 59
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /actuator/logfile UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_actuator Cible HTTP GET /actuator/logfile TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /actuator/logfile Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 59 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /actuator Ligne de requête `GET /actuator/logfile HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /actuator/logfile HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /actuator/logfile HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "6f5b0a9fc247c6bb758a70fc6a40934213981d54", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "ca81dadbf99a3c62e140bf99ad6d41a1dcd8a3c8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.375632243932639, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7a5e0e6659da4cad1b3a497bb7e580306379cbe3", "event_fingerprint": "92e30f7aaa539737a00c080c0be258ab1020d84e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0232" ], "matched_pattern_names": [ "Probe \/actuator" ], "pattern_ids": [ "pat-0232" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd33e731a9dc71ed698fb3458da6dbe5", "payload_hash": "1054ce39c19c0ed94f1580c3478255dc", "path_pattern_hash": "a5db5df5e4c3194fc1ea58968235ef2d" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/actuator\/logfile", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/actuator\/logfile HTTP\/1.1", "request_sample": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/actuator\/logfile", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/actuator\/logfile HTTP\/1.1", "request_sample": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e1b94d09e6dca94ebcea7a398ef6f9db72493af", "protocol_details": { "http_method": "GET", "http_path": "\/actuator\/logfile", "request_line": "GET \/actuator\/logfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/logfile", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 59, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/actuator\/logfile", "request_line": "GET \/actuator\/logfile HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/logfile", "evidence_snippet": "GET \/actuator\/logfile HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 1.44, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_actuator", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:09 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git-credentials	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git-credentials UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 net_web_probe Cible HTTP GET /.git-credentials TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git-credentials Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred Git credentials store LFI Double-dot bypass Ligne de requête `GET /.git-credentials HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /.git-credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.co Requête brute (extrait) GET /.git-credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "git-credentials", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "33467536027c202c6eb146b8fd903b0b5c4e3853", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.092356291985212, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2fe70fb9303e1d68e26870a4f0f7b924c7dd8f1a", "event_fingerprint": "5848497183f3e2f1d29281b40e5af80faa68eedb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0478", "pat-0103" ], "matched_pattern_names": [ "Cred Git credentials store", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0478", "pat-0103" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "20315e173dafd8b701e91c78c5e70d08", "path_pattern_hash": "c2a32b5320241c4bf559b31997cf1f32" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.co", "method": "GET", "path": "\/.git-credentials", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.git-credentials HTTP\/1.1", "request_sample": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.co", "evidence": { "method": "GET", "path": "\/.git-credentials", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/.git-credentials HTTP\/1.1", "request_sample": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.co", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bab3574c056d108a8dd76a3740cccf2e37c97ff6", "protocol_details": { "http_method": "GET", "http_path": "\/.git-credentials", "request_line": "GET \/.git-credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.co", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git-credentials", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git-credentials", "request_line": "GET \/.git-credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git-credentials", "evidence_snippet": "GET \/.git-credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.co", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 2.3, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:08 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env_production	Élevée	Moyen · 49
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env_production UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /.env_production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env_production Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 49 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env_production HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.env_production HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, lik Requête brute (extrait) GET /.env_production HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "env_production", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "92b3401c352d07d37fc3994dbb8e855ab565a98b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 213, "payload_entropy": 5.421251064450321, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d921ec69a9b485a9871a1300aceb6e60a3443aaa", "event_fingerprint": "3bd9e6ac3fbccf3e997344a266eebc93f44f48bd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "4102f8f60b019908a83afbc8a0ff9f07", "path_pattern_hash": "3e8bd1a99ea4a61e18cba0d561fe97f5" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "method": "GET", "path": "\/.env_production", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.env_production HTTP\/1.1", "request_sample": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "evidence": { "method": "GET", "path": "\/.env_production", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.env_production HTTP\/1.1", "request_sample": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "479d50ee29f659ba31878d35b17fdce25de5e1db", "protocol_details": { "http_method": "GET", "http_path": "\/.env_production", "request_line": "GET \/.env_production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env_production", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 49, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env_production", "request_line": "GET \/.env_production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env_production", "evidence_snippet": "GET \/.env_production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, lik", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +18 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.68, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:08 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.development	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.development UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.development TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.development Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.development HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET /.env.development HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "development", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "8a4e51701d196d7852353e13bcdd4450138c4d04", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.403729942846331, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "96467ecf2d84d0658fb7beb3da94b4614dca2159", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "6f4ff72cfc2445d228c0210dc4d9c8cb", "path_pattern_hash": "c0c440edf0616e70222e5cd82887a202" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/.env.development", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development HTTP\/1.1", "request_sample": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/.env.development", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.development HTTP\/1.1", "request_sample": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b4fb3aac710e16d7a2a48f57bfc676b6bc8e7acd", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development", "request_line": "GET \/.env.development HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.development", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.development", "request_line": "GET \/.env.development HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.development", "evidence_snippet": "GET \/.env.development HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.55, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:08 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /wp-config.php	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /wp-config.php UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 http_backup_file_scan Cible HTTP GET /wp-config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /wp-config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /wp-config.php Ligne de requête `GET /wp-config.php HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-5 Payload (extrait) GET /wp-config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET /wp-config.php HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "php", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "614b4fba7293e8b03e4e9dd43da4a4c26e954f4b", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.429110935022751, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "735dc8b0b6c38a456cca7eb2bbc84c10340c8c3b", "event_fingerprint": "c10f741ba77b7646e14c1df5944605088f7f8208", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0195" ], "matched_pattern_names": [ "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0195" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "3addb39797597a11006f6f9c6171bad4", "path_pattern_hash": "c8d91e6e96b16ee20ca9851d4b7ccb28" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/wp-config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php HTTP\/1.1", "request_sample": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/wp-config.php", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5" ], "request_line": "GET \/wp-config.php HTTP\/1.1", "request_sample": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93dbc825d3e6d0f8f3ec583ce6dabf787954d52e", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php", "request_line": "GET \/wp-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php", "request_line": "GET \/wp-config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php", "evidence_snippet": "GET \/wp-config.php HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.43, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:08 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /wp-config.php.bak	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /wp-config.php.bak UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950518:leak-5 950521:leak-8 Cible HTTP GET /wp-config.php.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /wp-config.php.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 933111 LFI WordPress config backup Probe /wp-config.php Ligne de requête `GET /wp-config.php.bak HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Règles WAF rce-0 nosqli-3 leak-5 leak-8 Payload (extrait) GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "9315af92496b848eed5ed988a938df67ee36a260", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "0372d7102c333673ea0de9e60c73911cb60bfb5f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.371242739358143, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 8, "anomaly_count": 0, "campaign_key": "8990629be372e700429ec752bf441811ae0d5f0b", "event_fingerprint": "17ed34391d4cdd071affd6a5d1ae669a0d290860", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0160", "pat-0135", "pat-0195" ], "matched_pattern_names": [ "CRS 933111", "LFI WordPress config backup", "Probe \/wp-config.php" ], "pattern_ids": [ "pat-0160", "pat-0135", "pat-0195" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "40b58db0069d1a73ee9d23fa54874615", "payload_hash": "8a45fe1c4306092a4ce43acc809861a6", "path_pattern_hash": "c879a1d8584c2c545f6c6bb7a9f5a061" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "method": "GET", "path": "\/wp-config.php.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/wp-config.php.bak", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-5", "leak-8" ], "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124.0.0.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b2798d34ec9573ede4c9fab697e4da9e64d57bca", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.bak", "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/wp-config.php.bak", "request_line": "GET \/wp-config.php.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36 Edg\/124\u2026", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak", "evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.32, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950518:leak-5", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:08 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.aws/credentials	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.aws/credentials UA Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /.aws/credentials TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.aws/credentials Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Cred AWS credentials file Ligne de requête `GET /.aws/credentials HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.aws/credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Fire Requête brute (extrait) GET /.aws/credentials HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "aws\/credentials", "http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "ace4c5fcde31b7bd909f97bc14a4a98472286e7e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 183, "payload_entropy": 5.261312117476183, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b353fdfad30457a6a20045ffa4aaa0582dc73b5c", "event_fingerprint": "2d09db4f3d75571021879d47c530e136d7b1dfe1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0468" ], "matched_pattern_names": [ "Cred AWS credentials file" ], "pattern_ids": [ "pat-0468" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0", "payload_hash": "0d714e7cb5ad3335b280f5c8894a03d9", "path_pattern_hash": "02b5f84eeada8b8c7cddae6a529f493a" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fire", "method": "GET", "path": "\/.aws\/credentials", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.aws\/credentials HTTP\/1.1", "request_sample": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fire", "evidence": { "method": "GET", "path": "\/.aws\/credentials", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.aws\/credentials HTTP\/1.1", "request_sample": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fire", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc7826fbf4d9fd05387177a1fb903d370f68070f", "protocol_details": { "http_method": "GET", "http_path": "\/.aws\/credentials", "request_line": "GET \/.aws\/credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fire", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.aws\/credentials", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.aws\/credentials", "request_line": "GET \/.aws\/credentials HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.aws\/credentials", "evidence_snippet": "GET \/.aws\/credentials HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Fire", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.21, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2083 · (tentative d'exploit) · → /.env.local	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.local UA Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefo… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.local TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.local Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0193 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.local Ligne de requête `GET /.env.local HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/12 Requête brute (extrait) GET /.env.local HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "local", "http_ua_hash": "80ed50a47ad6386e110103b40770259a62aae049", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "1bd3d14a0dcd500ff7a77dd7b961ff8960851334", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 177, "payload_entropy": 5.2292683694695565, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 7, "anomaly_count": 0, "campaign_key": "c7e986cf101045cf7da5194054034d87c90827e2", "event_fingerprint": "4d10528f934b563f387f0a30f78ac2f9b9556b3e", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0193" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.local" ], "pattern_ids": [ "pat-0191", "pat-0193" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "860da5fd69b9a4398718dec0e118bfe0", "payload_hash": "4d991b1e100b86c63bd31e41e5c31fec", "path_pattern_hash": "b9c24fc1b97f40588adfd0796c248786" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "method": "GET", "path": "\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.local HTTP\/1.1", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "evidence": { "method": "GET", "path": "\/.env.local", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.local HTTP\/1.1", "request_sample": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce9b230748a36a68bff8cde846d2b26630e551e3", "protocol_details": { "http_method": "GET", "http_path": "\/.env.local", "request_line": "GET \/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.local", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0193" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0193" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.local", "request_line": "GET \/.env.local HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.local", "evidence_snippet": "GET \/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:125.0) Gecko\/20100101 Firefox\/12", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 5.19, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_probe_env_local", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2083 · (tentative d'exploit) · → /.env.production	Élevée	Élevé · 67
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.production UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.production TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.production Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 67 Confiance : Confiance 100 % — Motif catalogue confirmé · 4 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0194 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Probe /.env Probe /.env.production Ligne de requête `GET /.env.production HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com Requête brute (extrait) GET /.env.production HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "production", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "9b39fa6529cda07275007291b337879405a04c62", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.112329727480016, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 67, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5430420f1a5ab94a61e1cded9fca85870bf6c488", "event_fingerprint": "73b2ad31fe4f79fa391f51c9ec2ace46824d1707", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0191", "pat-0194" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/.env", "Probe \/.env.production" ], "pattern_ids": [ "pat-0103", "pat-0191", "pat-0194" ], "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 18 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "82692d18991d4e0ba804f119780ca7df", "path_pattern_hash": "a397c8c79032c8a19624fdccf1ae5680" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 67 }, "payload_preview": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "evidence": { "method": "GET", "path": "\/.env.production", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.production HTTP\/1.1", "request_sample": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8eedfdf21fa667e5b01b4211c2b369091bfa9dbb", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production", "request_line": "GET \/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 67\/100 (\u00c9lev\u00e9) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 67, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 67, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0194" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0194" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.production", "request_line": "GET \/.env.production HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.production", "evidence_snippet": "GET \/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 4.94, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2083 · (tentative d'exploit) · → /.env.backup	Élevée	Moyen · 64
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /.env.backup UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.backup TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.backup Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 64 Confiance : Confiance 100 % — Motif catalogue confirmé · 3 tag(s) WAF Protocole émulé 1 Signaux SIGMA-web-config-leak Http Sensitive pat-0191 pat-0192 Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) Probe /.env Probe /.env.backup Ligne de requête `GET /.env.backup HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 Requête brute (extrait) GET /.env.backup HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "backup", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "0cdfae489c44fe084f54d0d07b1f18ad12bec86e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.404391167579052, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "a31d1233092aa4749ef8ed294194c29ff477c06b", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 325, "precision_signals": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0191", "pat-0192" ], "matched_pattern_names": [ "Probe \/.env", "Probe \/.env.backup" ], "pattern_ids": [ "pat-0191", "pat-0192" ], "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "480ea4592ff91b778697fc9e0452c80a", "path_pattern_hash": "46237bd90c824ac71e080a2ce5957ff9" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 ", "method": "GET", "path": "\/.env.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup HTTP\/1.1", "request_sample": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.env.backup", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.backup HTTP\/1.1", "request_sample": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9480980160a78b7b00e126dc3fc2f39cec7b1037", "protocol_details": { "http_method": "GET", "http_path": "\/.env.backup", "request_line": "GET \/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.backup", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 74, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "SIGMA-web-config-leak", "INT-http_sensitive", "pat-0191", "pat-0192" ], "tags_summary_labels_fr": [ "SIGMA-web-config-leak", "Http Sensitive", "pat-0191", "pat-0192" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.backup", "request_line": "GET \/.env.backup HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.env.backup", "evidence_snippet": "GET \/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 4.71, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.save	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.save UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.save TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.save Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Double-dot bypass Probe /.env Ligne de requête `GET /.env.save HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h Requête brute (extrait) GET /.env.save HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "save", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "b6acd8fd883f6c293e3cda5fd50434818eb0b3df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 178, "payload_entropy": 5.1127088132629686, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5430420f1a5ab94a61e1cded9fca85870bf6c488", "event_fingerprint": "cec72c55ee83da4c9b9a2f3226137456dd1028ab", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0103", "pat-0191" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/.env" ], "pattern_ids": [ "pat-0103", "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "bf2557467a18a8c6fed4e84ae6d4e2c0", "path_pattern_hash": "f8bd9e65b618d21d6e757070964bc6e1" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "method": "GET", "path": "\/.env.save", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.save HTTP\/1.1", "request_sample": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "evidence": { "method": "GET", "path": "\/.env.save", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.save HTTP\/1.1", "request_sample": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4e0956462bcea459465d6fbcc048626e88f1d24", "protocol_details": { "http_method": "GET", "http_path": "\/.env.save", "request_line": "GET \/.env.save HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.save", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.save", "request_line": "GET \/.env.save HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.save", "evidence_snippet": "GET \/.env.save HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 4.5, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.prod	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.prod UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950514:leak-1 Cible HTTP GET /.env.prod TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.prod Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) LFI Double-dot bypass Probe /.env Ligne de requête `GET /.env.prod HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 leak-1 Payload (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h Requête brute (extrait) GET /.env.prod HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "prod", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "dbae5bda5d181ccfbfc6b75e40a8edbe5f27e87d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 178, "payload_entropy": 5.11147243930867, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 64, "tag_count": 7, "anomaly_count": 0, "campaign_key": "5430420f1a5ab94a61e1cded9fca85870bf6c488", "event_fingerprint": "2351e3d6a8bff32927ea0c0eb7db1808deaddca1", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0103", "pat-0191" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/.env" ], "pattern_ids": [ "pat-0103", "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "c7d815e09d3f87a4f8ef355a987687e3", "path_pattern_hash": "d6acfe32219429bb20e7ee2ee79adb21" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "method": "GET", "path": "\/.env.prod", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.prod HTTP\/1.1", "request_sample": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "evidence": { "method": "GET", "path": "\/.env.prod", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.prod HTTP\/1.1", "request_sample": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4458d45114295e2b730fb0eb8052acc0acf69052", "protocol_details": { "http_method": "GET", "http_path": "\/.env.prod", "request_line": "GET \/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.prod", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 64, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.prod", "request_line": "GET \/.env.prod HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.prod", "evidence_snippet": "GET \/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.h", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 4.31, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.old	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.old UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.old TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.old Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.old HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Fi Requête brute (extrait) GET /.env.old HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "old", "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "5c6d2af3e13d17105c8f5fb6187fb5c332303b42", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.190792776430112, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "29e04f6850d93dbf4e9875dbc1b2067fc8f6c551", "event_fingerprint": "e5d338ee2df32b42a3a5a14ffa3e7104b3c35bfa", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "d7adc646f23cff079d980b87aa01a61a", "path_pattern_hash": "3807eb1255fb0315f3ffbb94c31e25e0" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fi", "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fi", "evidence": { "method": "GET", "path": "\/.env.old", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.old HTTP\/1.1", "request_sample": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fi", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f343ee0d14d192e4a813fe06ac087536f4bcd114", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fi", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.old", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.old", "request_line": "GET \/.env.old HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.old", "evidence_snippet": "GET \/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Fi", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 4.14, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.bak	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.bak UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 29 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 950521:leak-8 Cible HTTP GET /.env.bak TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.bak Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.bak HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 leak-8 Payload (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET /.env.bak HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "bak", "http_ua_hash": "07b3f636f85048d240c220c68060800feecba27d", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "4a5fcefd2e38e385c845c219c16c9499f238dece", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.421656125936838, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "29e04f6850d93dbf4e9875dbc1b2067fc8f6c551", "event_fingerprint": "ed13d740c31d2c98b9a4699ea7b76b9e1f77c134", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c1397ca4c438ef7fc95e8a6f78f01a9b", "payload_hash": "6d668efc29bad634366dd236f5cf4862", "path_pattern_hash": "e884c8b66a9cc0dbcd8816b9898313a2" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/.env.bak", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1", "leak-8" ], "request_line": "GET \/.env.bak HTTP\/1.1", "request_sample": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e54ef832eece65ffc2dccc04df59181baefea6f", "protocol_details": { "http_method": "GET", "http_path": "\/.env.bak", "request_line": "GET \/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.bak", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.bak", "request_line": "GET \/.env.bak HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.bak", "evidence_snippet": "GET \/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.97, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "950521:leak-8", "http_backup_file_scan", "http_backup_path", "http_probe_env", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 00:35:07 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.env.docker	Élevée	Moyen · 61
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.env.docker UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.… Émulateur HTTP WAF 21 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950514:leak-1 http_backup_file_scan Cible HTTP GET /.env.docker TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.env.docker Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.env Ligne de requête `GET /.env.docker HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-1 Payload (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 Requête brute (extrait) GET /.env.docker HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "docker", "http_ua_hash": "040a89826d3eb8f60f68abe05208a91b116b5286", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "fffaa1342f06e8670d7edda0bc9461e93e4a0f1f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 224, "payload_entropy": 5.3797864365228785, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 92, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "5fec533cbc17e446e2c307860bd5db2bd11a3f41", "event_fingerprint": "1680179ea5e87eb45a9fd52e4928e4bdb52c8f9d", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0191" ], "matched_pattern_names": [ "Probe \/.env" ], "pattern_ids": [ "pat-0191" ], "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b24c868eb88f09716d34b010b594ad74", "payload_hash": "616a36c1fe84ba7bc1f6ac03b42cad2f", "path_pattern_hash": "4424df1cf14166f6194446e711e46b03" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 ", "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/.env.docker", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-1" ], "request_line": "GET \/.env.docker HTTP\/1.1", "request_sample": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ffecd1c0d9be687bc424f0d4439c102f34a8e836", "protocol_details": { "http_method": "GET", "http_path": "\/.env.docker", "request_line": "GET \/.env.docker HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.docker", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 92, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 61, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.env.docker", "request_line": "GET \/.env.docker HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env.docker", "evidence_snippet": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/537.36", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 92 \u00b7 Bonus corr\u00e9lation +18 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 3.82, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950514:leak-1", "http_backup_file_scan", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2077	—	Scan de ports port scan syn · port 2077 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2077 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "FR", "dst_port": 2077, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "f1191dfb709b7ac67d5ed9918ad68b24cba18c54", "event_fingerprint": "07d88d1df5a8bacf3c8aed6c9609c080b5d06a2a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2077, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "846710dbe3b32b9683607f769ecf148fda1657fe", "protocol_details": { "port": 2077 }, "attack_vector": "port scan syn \u00b7 port 2077 \u00b7 (reconnaissance)", "target_port_label": "2077", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (6 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2077, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2077 }, "attack_vector": "port scan syn \u00b7 port 2077 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2077", "emulator_service": null, "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2077" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 6, "scan_velocity_ports_per_s": 60, "multi_protocol_correlation": true, "multi_protocol_count": 6, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "port:2077", "port:2078", "port:2086", "port:2095" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2096	—	Scan de ports port scan syn · port 2096 · (reconnaissance)	Faible	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2096 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance élevée (100 %) — signaux convergents Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "FR", "dst_port": 2096, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 42, "tag_count": 0, "anomaly_count": 0, "campaign_key": "b2d3d08c24b165fc722efd535df6de9a0712b673", "event_fingerprint": "459b248b40f6c3504248ef0f16a45d6a966e68f6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 2096, "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4f00d90a2248967d152928cebf27be52b96caffe", "protocol_details": { "port": 2096 }, "attack_vector": "port scan syn \u00b7 port 2096 \u00b7 (reconnaissance)", "target_port_label": "2096", "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (7 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 2096, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "port": 2096 }, "attack_vector": "port scan syn \u00b7 port 2096 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "2096", "emulator_service": null, "confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2096" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 70, "multi_protocol_correlation": true, "multi_protocol_count": 7, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/HEAD	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/HEAD UA Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/HEAD TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/HEAD Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET .git HEAD Probe /.git/HEAD Ligne de requête `GET /.git/HEAD HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, Requête brute (extrait) GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Linux; Android 14; Pixel 8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/head", "http_ua_hash": "572d0d5c8fdfe1422b8eda4ab577fb9f29b639e1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.37163480489065, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "20adab89794dfd3ce901d81c816b7b8e611932a4", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0749", "pat-0197" ], "matched_pattern_names": [ "ET .git HEAD", "Probe \/.git\/HEAD" ], "pattern_ids": [ "pat-0749", "pat-0197" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cc512f8aa6b1eef151c71762d3763fdb", "payload_hash": "e2dcc47b43167d34b5c4ee3f8a46560a", "path_pattern_hash": "353579f4025217f1143d65b4213aaffa" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, ", "method": "GET", "path": "\/.git\/HEAD", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "evidence": { "method": "GET", "path": "\/.git\/HEAD", "user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6cd04bf5312a6da1b92e6a951897f331505ce235", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/HEAD", "request_line": "GET \/.git\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/HEAD", "request_line": "GET \/.git\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Mobile Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD", "evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; Pixel 8) AppleWebKit\/537.36 (KHTML,", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 51.2, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/config	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/config UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/config Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.git/config Ligne de requête `GET /.git/config HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Requête brute (extrait) GET /.git/config HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/config", "http_ua_hash": "1e87ffea5654101b4de6efaf2d6659424d4315d1", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 188, "payload_entropy": 5.18568186731747, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "66f4f7bee89277b16e7a447959d7f731604c4b3b", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0198" ], "matched_pattern_names": [ "Probe \/.git\/config" ], "pattern_ids": [ "pat-0198" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad82fd5622889299602e148bf3c011b2", "payload_hash": "5588bf67bec0ab8a602ec7c8784c6185", "path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "method": "GET", "path": "\/.git\/config", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "evidence": { "method": "GET", "path": "\/.git\/config", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/config HTTP\/1.1", "request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9a2b1e9fabe348a3287e4edda701b4161e8431db", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/config", "request_line": "GET \/.git\/config HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config", "evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko\/20100101", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 33.88, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/logs/HEAD	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/logs/HEAD UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/logs/HEAD TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/logs/HEAD Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /.git/logs/HEAD HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/logs/HEAD HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537 Requête brute (extrait) GET /.git/logs/HEAD HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "git\/logs\/head", "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "46ee287ff28a9e8320b0108d4ba9199fc223bf1f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.382584966477311, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "9d92165683bc6a5931969fff421454bab983ef55", "event_fingerprint": "d451f8e14e3bf9a588e2d5e873e54aac1ee2da2f", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "ab151ad04a36339b3608cae29046d8a9", "path_pattern_hash": "4d02ba9a1a1681db85a5d54f36cabf3b" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537", "method": "GET", "path": "\/.git\/logs\/HEAD", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/logs\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537", "evidence": { "method": "GET", "path": "\/.git\/logs\/HEAD", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/logs\/HEAD HTTP\/1.1", "request_sample": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a6db47f0d85f52c63957e4936b75630f2443e82c", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/logs\/HEAD", "request_line": "GET \/.git\/logs\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/logs\/HEAD", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/logs\/HEAD", "request_line": "GET \/.git\/logs\/HEAD HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/logs\/HEAD", "evidence_snippet": "GET \/.git\/logs\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 25.47, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/refs/heads/master	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/refs/heads/master UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/refs/heads/master TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/refs/heads/master Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /.git/refs/heads/master HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/refs/heads/master HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5 Requête brute (extrait) GET /.git/refs/heads/master HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "git\/refs\/heads\/master", "http_ua_hash": "2d8967335bcf485cf78ad32a48b144390d6645b7", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "e2ddeb0180247c800c169d74d130a5c8f6d3cfe2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.3642554208887905, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "22887339b443a07807e60bb80a41b1f9b62fc106", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fbfac33ae69df12764d9c9274e275803", "payload_hash": "5ff254af2aa580c84068845b79678ce2", "path_pattern_hash": "f5219a1b30edcca8d01268be8b2b506c" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "method": "GET", "path": "\/.git\/refs\/heads\/master", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/.git\/refs\/heads\/master", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b0168daeba65e8ed7a0b978eeaac6cf55bac9f64", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/master", "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/master", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/master", "request_line": "GET \/.git\/refs\/heads\/master HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/123.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/master", "evidence_snippet": "GET \/.git\/refs\/heads\/master HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 20.4, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/refs/heads/main	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/refs/heads/main UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/refs/heads/main TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/refs/heads/main Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /.git/refs/heads/main HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/refs/heads/main HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /.git/refs/heads/main HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "git\/refs\/heads\/main", "http_ua_hash": "54c432bdb9d4b33f9c3ec86efe5638e0b0b4338c", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "224aef6c29ba33c300fde4c406757d32c8a6334c", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 234, "payload_entropy": 5.371537003698668, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "c1829a4eac8a0f7b33d0566e7058ed19839c5fa0", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "615fce795c02806e47e19eb87980fcd9", "payload_hash": "f4ec0e16a6c7312ef44fc117ce2409e7", "path_pattern_hash": "60be1b30b8f9cc34bcfa237561933520" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/.git\/refs\/heads\/main", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/.git\/refs\/heads\/main", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "request_sample": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a8405ba7227461faff7cb4c2d967f9e183bd149d", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/main", "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/main", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/refs\/heads\/main", "request_line": "GET \/.git\/refs\/heads\/main HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/124.0.0.0 Safari\/537.36", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/refs\/heads\/main", "evidence_snippet": "GET \/.git\/refs\/heads\/main HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 16.99, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:06 UTC	TCP	2083 · HTTP	http	Scan de ports port scan syn · via HTTP:2083 · (reconnaissance) · → /.git/index	Élevée	Élevé · 65
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /.git/index UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 950513:leak-0 Cible HTTP GET /.git/index TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2083 Chemin / cible /.git/index Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Élevé · 65 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Probe /.git/index Ligne de requête `GET /.git/index HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Règles WAF rce-0 nosqli-3 leak-0 Payload (extrait) GET /.git/index HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/201001 Requête brute (extrait) GET /.git/index HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko/20100101 Firefox/125.0 Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "git\/index", "http_ua_hash": "abcecdd24d00f76aa87a7f19ce44d01537e01df4", "http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0", "http_target_hash": "599e59a42cb71373111f2fc13a586e0adc0040e3", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.214225298047615, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25 }, "risk_score": 65, "tag_count": 9, "anomaly_count": 0, "campaign_key": "eccbdf25b966cc63d540005da1bbbe7c41dfe4d8", "event_fingerprint": "14b3ba173ef2f98bdcbd399e5f40608358eff90e", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0199" ], "matched_pattern_names": [ "Probe \/.git\/index" ], "pattern_ids": [ "pat-0199" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f631915c7d7a8dcb91e1608a166d21b7", "payload_hash": "75ac064f0b80fe57d138d3f5fde9b2cb", "path_pattern_hash": "1a24fbe3e34c1ea547b8677072fa65d3" }, "target_context": { "dst_port": 2083, "service": "http", "service_name": "http", "risk_score": 65 }, "payload_preview": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "method": "GET", "path": "\/.git\/index", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/index HTTP\/1.1", "request_sample": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "evidence": { "method": "GET", "path": "\/.git\/index", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0" ], "waf_rule_names": [ "rce-0", "nosqli-3", "leak-0" ], "request_line": "GET \/.git\/index HTTP\/1.1", "request_sample": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7780d48de8dfd5fb14210fe244b902a6e9430757", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/index", "request_line": "GET \/.git\/index HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/index", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (8 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 25, "risk_score": 65, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 65, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/.git\/index", "request_line": "GET \/.git\/index HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/20100101 Firefox\/125.0", "port": 2083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:2083 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/index", "evidence_snippet": "GET \/.git\/index HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14.4; rv:125.0) Gecko\/201001", "target_port_label": "2083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +18 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 2077, 2078, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 7, "scan_velocity_ports_per_s": 14.62, "multi_protocol_correlation": true, "multi_protocol_count": 8, "multi_protocol_sample": [ "cpanel-ssl", "cpanel-whm", "http", "port:2077", "port:2078", "port:2086", "port:2095", "port:2096" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "950513:leak-0", "http_backup_file_scan", "http_git_exposure", "http_probe_git", "http_sensitive_path", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 00:35:05 UTC	TCP	2083 · CPANEL SSL	cpanel-ssl	cpanel probe cpanel probe · via CPANEL SSL:2083 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CPANEL-SSL WAF — Recommandation Surveiller Tags cpanel_ssl_emulated net_cpanel_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2083 Chemin / cible — Service CPANEL SSL Pourquoi cette classification : Type « cpanel_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "cpanel-ssl", "app_proto": "cpanel-ssl", "asn": 16509, "country": "FR", "dst_port": 2083, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c0f9f6f627a73b24caa302338d5283f47efa634a", "event_fingerprint": "80d2812b66b9080b0842670f25ce9d4d3386dae1", "classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "cpanel-ssl", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "e7139612faef5d92b03716e3491ff506" }, "target_context": { "dst_port": 2083, "service": "cpanel-ssl", "service_name": "cpanel-ssl", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b54d026a0a22eb5273cf5f714c1d3d76f510f71f", "protocol_details": { "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "attack_vector": "cpanel probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "cpanel-ssl", "service_label_fr": "CPANEL SSL", "dst_port": 2083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "attack_vector": "cpanel probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_ssl", "service_banner": "honeypot-cpanel-ssl", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_ssl_emulated", "net_cpanel_probe" ], "asn_dc_heuristic": true }
18/06/2026 00:35:05 UTC	TCP	2095	—	Sonde port Sonde port · port 2095 · (sonde / probe)	Faible	Faible · 33
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2095 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 33 Confiance : Confiance faible (0 %) — classification prudente Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "FR", "dst_port": 2095, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 33, "tag_count": 0, "anomaly_count": 0, "campaign_key": "71fde937e85a7f9549deacf18c1a305f326580ab", "event_fingerprint": "beb69de90685708107478fb51eb34bd128b33d3d", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 33, "correlation_boost": 8 }, "named_classification_skipped": false, "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "FR", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 2095, "risk_score": 33 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34ba8a6ddef4976d30181b990f4b1f6b68bb50c2", "protocol_details": { "port": 2095 }, "attack_vector": "Sonde port \u00b7 port 2095 \u00b7 (sonde \/ probe)", "target_port_label": "2095", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 33, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 33, "risk_label": "Faible", "service_name": null, "service_label_fr": null, "dst_port": 2095, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 2095 }, "attack_vector": "Sonde port \u00b7 port 2095 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "2095", "emulator_service": null, "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "2095" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "cpanel-ssl", "port:2095" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }

35.180.87.209

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence