04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.example
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.example
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.1.0; LM-Q925S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.example HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; LM-Q925S) AppleWebKit/537.36 (
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "example",
"http_ua_hash": "8fd92b8ef83ae744cb80fa9f954e9ae44c5350a8",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "080963ef62d711207d0e68706f04d0705ec4d7fa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 257,
"payload_entropy": 5.424663620914718,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 63,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834",
"event_fingerprint": "097d3f52541f906229fbcaca6d4e51bda7bb385a",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "66ae7ef52afb02e6acbf05b54335f46e",
"payload_hash": "307e98fb8f16930422690901324f6075",
"path_pattern_hash": "f8bf22cb3ab23601599be7f21fa00aee"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.example HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; LM-Q925S) AppleWebKit\/537.36 (",
"event_signature": "daf02eca1acba5be89a08aee99dbaaf62d9341ad",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.test
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.test
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.1 Safari/534.30
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.test HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; U; Android 4.1; en-us; sdk Build/MR1) AppleWebKi
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "test",
"http_ua_hash": "e33e08d94371bdf9f99107e217c49a1cbd011df8",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "4e40a92f813d5ab41a0033a3846a1a977ff1de23",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 251,
"payload_entropy": 5.370888470705238,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 63,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834",
"event_fingerprint": "791d6afca93a57123b61bbbd4f0e382c60924057",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b4a20b27e400ed38396673bd196d5cd1",
"payload_hash": "271b8518e83b4e746d3b8cc15601426b",
"path_pattern_hash": "d0f775cf96d71b1d76da4d08e462f07a"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.test HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.1; en-us; sdk Build\/MR1) AppleWebKi",
"event_signature": "a226f7f4d091da519d707ebae906027e6e055244",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.template
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.template
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.template HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebK
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "template",
"http_ua_hash": "fada4e82d66b6839387533af637a6b7308301fea",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "edccaea3bbb1eaacbff6973ad5f703ae60c1ddc1",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 274,
"payload_entropy": 5.385127053657167,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 63,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834",
"event_fingerprint": "8a1f004e07255fb894f556da626c5a0864eb846c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bed30f32250b555b2df6dbbadc66fb6d",
"payload_hash": "1d1bd7b2ec16514518df6bc528c41ead",
"path_pattern_hash": "6f72c17e203141284a34bb73c6ef5765"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.template HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebK",
"event_signature": "f95852128269c7890c5b5bda71779af6722d0011",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
39
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.old
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.old
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950521:leak-8
950600:k8s-api
Payload (extrait)
GET /api/.env.old HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build/PPR1.180610
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "old",
"http_ua_hash": "2d6b0b9b28a297504657d046e3196200702e7be3",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "1eaaed3d5813b8a0c46124d29705f048ce880ab8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 301,
"payload_entropy": 5.521151533958377,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "3ad966459dfdc34d49c97be7ca69dd25f62ca335",
"event_fingerprint": "bcbb8cda18f2bc9dcaca9120e23d39df240ef1da",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c8eb2bbe42433957c18999e54e9a8783",
"payload_hash": "466f28b533b80b0a8d9700fc7c83ef46",
"path_pattern_hash": "f24df3f6a48f5ead7ac9d4853493d4fa"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.old HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-N950F Build\/PPR1.180610",
"event_signature": "f5c0f30589a91817b67642feacbc2fff33a96ab0",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api",
"http_backup_path",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110622 Firefox/6.0a2
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/.env HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110622 Firefox/
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "892e30f5b31494a0976a25c97949a7020201f976",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "f5b7d21cf92d5caca6cd906725e72730e31bc18c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 202,
"payload_entropy": 5.318990566479217,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "b2267ad84954dd1f4d15dbc716effa8c8a3c6804",
"event_fingerprint": "7c56676779b667b4fccd7476ccf520ce5c522352",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8af8ab8befaab0e42ff59f3e0de9e0a5",
"payload_hash": "5a0ef59fe38dd54dc3bdf55136c0f042",
"path_pattern_hash": "3c658e3b68f996f41891a76e1d05a9a5"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko\/20110622 Firefox\/",
"event_signature": "0b0f4f82b22c8de45c129a14291a9ba89b536dd9",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 64
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
22
Recommandation
Investiguer
Tags
950318:lfi-14
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.txt
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.txt
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Link/6.3.1.13.0
Règles WAF
950318:lfi-14
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.txt HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: NokiaN70-1/5.0609.2.0.1 Series60/2.8 Profile/MIDP-2.0 Configuration/C
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "txt",
"http_ua_hash": "26ccbd7e7dedfd9062c5f31cbb3975e851746e4b",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "db658cd9f30d14f4f7b89e2ec27457776d31b406",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 223,
"payload_entropy": 5.224859129639031,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 96,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 96,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 64,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "249cc93ce2df7ade828078177a4a7e194722f2b6",
"event_fingerprint": "a8115f13b308a1d434ffa3c51cec84b96095e5f7",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "76bf3224f1bf6605bfa8e88c71a7419f",
"payload_hash": "c844e81f588f5e2bd7bd286c3bf968ea",
"path_pattern_hash": "bcf9f4a0a512e549570ca7fb20cc5789"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.txt HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: NokiaN70-1\/5.0609.2.0.1 Series60\/2.8 Profile\/MIDP-2.0 Configuration\/C",
"event_signature": "4ee2fc26bf30689d8a149e893e681459fb93771a",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.backup
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.backup
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G950F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/.env.backup HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G950F Build/PPR1.180
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "backup",
"http_ua_hash": "613dafa250e9358a94a43c97ccf29e22838945bc",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "9dab8234c39ccb9ea2d77d85642de0c301ab4efb",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 304,
"payload_entropy": 5.528499142886823,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "b2267ad84954dd1f4d15dbc716effa8c8a3c6804",
"event_fingerprint": "1116dc8f5d6d914193372940e5ccd86191a2b2c0",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d61778609b7c61cacca39c0459ebfe15",
"payload_hash": "0b3b68afd36b17e32466b8cb8f96b203",
"path_pattern_hash": "49a3b01836cfe2c6affa28c94f1fce0a"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950F Build\/PPR1.180",
"event_signature": "8680942780bcef299430bce9fa7c4a72e8bec91a",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950521:leak-8
http_backup_path
Cible HTTP
GET
/env.old
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/env.old
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; RMX1805) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950521:leak-8
Payload (extrait)
GET /env.old HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 9; RMX1805) AppleWebKit/537.36 (KHTML, lik
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "old",
"http_ua_hash": "c650eb142bb9f09297492d42c58ca1e427395a0e",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "f2c0dc89039abb7b503900ef73d0ee05f89133ed",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 247,
"payload_entropy": 5.431916872138762,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "fe383a4767926bcc3582f0c0c89e99bdf5758247",
"event_fingerprint": "606bbd744d50825b3442405a5f3684996cb2b220",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "76169570826e0a393f882e93d61e3831",
"payload_hash": "2b342a001092506a3378fd74616b6372",
"path_pattern_hash": "7cac178e79fe10bf41da42670526b73d"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/env.old HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; RMX1805) AppleWebKit\/537.36 (KHTML, lik",
"event_signature": "0e299f1995b40652158fc31523b9399bd7506d16",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950521:leak-8",
"http_backup_path",
"http_probe_env"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
37
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/api/.env.prod
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.prod
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
FeedFetcher-Google; ( http://www.google.com/feedfetcher.html)
Règles WAF
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/.env.prod HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: FeedFetcher-Google; ( http://www.google.com/feedfetcher.html)
A
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "prod",
"http_ua_hash": "b14c25079b44d662b2a10bdfc539b8be54c13f94",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "a0523bde74b7800a5f62604ba67d5973949853e7",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 194,
"payload_entropy": 5.100410841767817,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "de2e9ccf4daf39d53f4a8edcbec396922bf0b678",
"event_fingerprint": "a5913263976b1c5267a3d337ab260250fce3c231",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d09871c0c583e0dbd1f2d4f027c289ce",
"payload_hash": "2f33d171f896d2f9ee703ebe7354cea3",
"path_pattern_hash": "0d46dff1e6403d12ac8e9a297c932ed9"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.prod HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: FeedFetcher-Google; ( http:\/\/www.google.com\/feedfetcher.html)\r\nA",
"event_signature": "abe44eda72a6d23db275ae3172b1e1ddd07a4648",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.production
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.production
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a) Gecko/20040614 Firefox/3.0.0
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/.env.production HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "production",
"http_ua_hash": "5183b59b571299ee1872f519219bf4c67961b483",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "968e975abb5bec4d137f79208dfd090d8456c104",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 227,
"payload_entropy": 5.289765458179195,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "b2267ad84954dd1f4d15dbc716effa8c8a3c6804",
"event_fingerprint": "14e8cad01d2ca8a5bd35766ca9e76117e7bb7ee1",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b6c9ae6675288a92970bda0849a8ccbb",
"payload_hash": "42fda1bf5061befeeb45ce5f90bb861d",
"path_pattern_hash": "3695b3884d13830f81357e8fc9151d2d"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.production HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; Mac OS X Mach-O; en-US; rv:2.0a",
"event_signature": "67cd980ddd38a95d6d9ab1a6953a1cb608ec84cd",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.local
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/.env.local HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Droid Build/ESD20) A
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "local",
"http_ua_hash": "5293452ed8d7216a03ae39f1716f94c020355bda",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "edb025f9fa0e5ca4830590504e5c719dffe9f0d2",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 267,
"payload_entropy": 5.390264571465203,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "b2267ad84954dd1f4d15dbc716effa8c8a3c6804",
"event_fingerprint": "ce24c067310b37bf1777a0c37706a565de1fe1f1",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "14ceea9fa263d8dc8fc78f91cead5a61",
"payload_hash": "551eebdc2ef880baad095adb5a26955f",
"path_pattern_hash": "593041543fc7e9468b6d0efddae98740"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Droid Build\/ESD20) A",
"event_signature": "426a9709a9e2bbf707f2531b16a780f5e24656fd",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 66
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
29
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/.env.dev.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.dev.local
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile
Règles WAF
950318:lfi-14
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.dev.local HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 M
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "local",
"http_ua_hash": "b60da48c4b08cf3b0e05e009cfe39067765db3c1",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "12559bd98a78482d9ce7a35ea95030c5164cc18e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 202,
"payload_entropy": 5.307261956191112,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 66,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "3badd6f44342294637908d6bed469924327ab48f",
"event_fingerprint": "baaec7851e4b1bf3230b083cf52ca0cf40d62d2e",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ff45ba6318f6995eca7d74c8a37b669f",
"payload_hash": "cbd4a3c40c5e80d1e8a1f3d0b3d4c7d9",
"path_pattern_hash": "168410cb363e5bff281032a79dc5b72d"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.dev.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 M",
"event_signature": "88a47ae24e321287a278851d12711fe703b7ba15",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env~
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env~
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 baidu.sogo.uc.UCBrowser/11.9.4.974 UWS/2.13.1.48 Mo…
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env~ HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build/HUAWEIEML-AL
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "env~",
"http_ua_hash": "a0d4576af53f87cdc2baaa057d0330388196a422",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "1226c0debb1b75494a73e965e6d8cdcb9b1ead38",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 431,
"payload_entropy": 5.529009761423701,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 63,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834",
"event_fingerprint": "494353f7f026a5593c3239e7e3f82df40d811023",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e4eece6ef0a41f0fb3516b5bbe27e9f6",
"payload_hash": "8d25c0037d7651fce4dc77dcb9ca46d0",
"path_pattern_hash": "cf5f67b633918a8bfbe3f2b4d6e8e9e1"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env~ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 8.1.0; zh-CN; EML-AL00 Build\/HUAWEIEML-AL",
"event_signature": "0f8a3182be9feaca8326a0160117f0839d8b45dd",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 46
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
13
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
Cible HTTP
GET
/env.backup
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/env.backup
Confiance classification
86%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Règles WAF
950326:rce-0
950470:nosqli-3
Payload (extrait)
GET /env.backup HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build/F
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "backup",
"http_ua_hash": "8646a79deb7f829cab47c5b898707f11746b7e9b",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "de881192e40b910ddadfeaa7d74737f8ac4fcb8e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 272,
"payload_entropy": 5.427498314060482,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 60,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.7,
"risk_breakdown": {
"waf": 60,
"classification": 80,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "2d4bad77b9af66303184e37395d5fd0604c3d8fb",
"event_fingerprint": "b1cd908c36531f733a5ed9d4c7786ed03843b5d2",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "22e8c0d74d4abdc760d3e5d5b357d472",
"payload_hash": "c051f744241d1ca90f95f55e39b0d61c",
"path_pattern_hash": "0913256c1ce2cf4361c479b44d591aa5"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.86,
"classification_confidence": 0.86,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/env.backup HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.2; en-us; Sprint APA9292KT Build\/F",
"event_signature": "0526d68a30e41b948cdad6d13b4e3744e612488e",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950521:leak-8
http_backup_path
Cible HTTP
GET
/env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/env.bak
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975U1 Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950521:leak-8
Payload (extrait)
GET /env.bak HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975U1 Build/PPR1.180610.011
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "bak",
"http_ua_hash": "7ca7cf36e0ba08ef9f7de766b715417d49fde57a",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "a267c1a6bb1f8e78acd54116556c5ca3263f5088",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 297,
"payload_entropy": 5.527000851663282,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "fe383a4767926bcc3582f0c0c89e99bdf5758247",
"event_fingerprint": "36d0444d6c43eaec752d95f489d69199d6ad8756",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5e8af2b481bba7e65072c0c410349e29",
"payload_hash": "a9496dd50061ff5ac18e0377c91aaff7",
"path_pattern_hash": "8c7af96cfa7ab0d2b434d66566500145"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G975U1 Build\/PPR1.180610.011",
"event_signature": "1cbe3054349fdac2fdd91ca3975c28c3197fc517",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950521:leak-8",
"http_backup_path",
"http_probe_env"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 47
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
13
Recommandation
Surveiller
Tags
950326:rce-0
950470:nosqli-3
http_probe_env
Cible HTTP
GET
/env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/env
Confiance classification
89%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Firefox/19.0
Règles WAF
950326:rce-0
950470:nosqli-3
Payload (extrait)
GET /env HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Fire
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "904f862331142491fc45fd94ae0ef8cc7ca275dc",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "ebac263a482818b6e7a922df98cc560bbc808a0a",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 205,
"payload_entropy": 5.294909724907392,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 60,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 60,
"classification": 80,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 47,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c87abae5566d5cc126a3ce87dc65124ddc095c8b",
"event_fingerprint": "5cf7437819105f74eef777d3d0c74b5511460c97",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d73bd383dc1c23a54d0be5ef968c8937",
"payload_hash": "792068f3210ae5185bdac50f3b24f3df",
"path_pattern_hash": "1a3ee8c5f071bd935c8a12206727587a"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.89,
"classification_confidence": 0.89,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux i686; rv:19.0) Gecko\/20100101 Slackware\/13 Fire",
"event_signature": "e36ff24eee9b5bae2728650f7c888e1f37867edb",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"http_probe_env"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.orig
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.orig
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.orig HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit/537.
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "orig",
"http_ua_hash": "5dcf21c60d3b576e1bedbc3f1c3b5330ee0542f5",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "a5360e8b4c24130ce7b83ff2db501eac1df0996e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 261,
"payload_entropy": 5.384135275673261,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 63,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834",
"event_fingerprint": "25bccea438d19dba5263781c4e70a31ec2e9d648",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "74102f0057236ff01cf1a6c8c10c787d",
"payload_hash": "40127f3aa58472bad4b17c301de99b09",
"path_pattern_hash": "74a5485724e3b49c70feec62176e92c9"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.orig HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.",
"event_signature": "6b3274d485f36dca7f7c83d52d4509fade255136",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
29
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
950521:leak-8
Cible HTTP
GET
/.env.local.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.local.bak
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
950521:leak-8
Payload (extrait)
GET /.env.local.bak HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "bak",
"http_ua_hash": "958c93269956d15ecb42f49b1b56d882687b04c4",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "14d941abaa5531ff4222826e2a078089eafb4502",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 247,
"payload_entropy": 5.436128413659716,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f331d3fa6be690988e7e1938ee71b26034223df1",
"event_fingerprint": "5f0d12e5635e2b9fd78522832fc55055b47879cc",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "38ec015df3ab5b84d88363863ded6a9c",
"payload_hash": "4ed44a6175ccfde4b513d9adec37421d",
"path_pattern_hash": "6ce60df5c3a9e710b10793a4d5a3668f"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.local.bak HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KH",
"event_signature": "d760e940abc5dc5923dab3a34854c7a8681a8903",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"http_backup_path",
"http_probe_env_local",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.docker
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.docker
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SM-A730F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.docker HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 9; SM-A730F) AppleWebKit/537.36 (KHTML
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "docker",
"http_ua_hash": "dfe6a3c151291f820cc51544e8be83c05cccd03f",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "fffaa1342f06e8670d7edda0bc9461e93e4a0f1f",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 252,
"payload_entropy": 5.41098122679085,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 63,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "49852f8371a255c92a3c6c0922a6c1bad7be1834",
"event_fingerprint": "282b6bf056debb727767ffbdbe9662c71da40322",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "77c75564537d5d51297ba1dea02b028d",
"payload_hash": "4a62c2cfe63d5ccdf2e50dad1708182c",
"path_pattern_hash": "4424df1cf14166f6194446e711e46b03"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.docker HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-A730F) AppleWebKit\/537.36 (KHTML",
"event_signature": "50fb3bdbeff4323d44146027c8fa7b9ac84c1eb4",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
39
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/api/v1/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/v1/.env
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
Règles WAF
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/v1/.env HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Fi
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "9413061305ae25c7dc96396993c34e4c6bf44378",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "510d89ba7f87ce49d7697f92088f4049153aa93e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 207,
"payload_entropy": 5.344785582152637,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 9,
"anomaly_count": 0,
"campaign_key": "a0c74a750356cbdddda1adac50859b0a5a266d36",
"event_fingerprint": "db1bdf20621c5fac53322542a836234d47a393e9",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bd916d04a43ff1455f620cc89c18c92b",
"payload_hash": "ba82b153ada3b49200ac337f9e1a0e24",
"path_pattern_hash": "5df89d300eb37d420581ac8576ea9498"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko\/20100101 Fi",
"event_signature": "9370e8af120ecc6eee0c61328778ea8992122b45",
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_k8s_probe",
"http_probe_api",
"http_sensitive_path"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
31
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.staging
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.staging
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/.env.staging HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firef
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "staging",
"http_ua_hash": "22d14318c36ee86b76782903da3d72468db7071c",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "558189df00dd1f382a665a69aadcd9f4c6685109",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 204,
"payload_entropy": 5.29208122383546,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "195947f1d652578a55503d333c24f8206ab33695",
"event_fingerprint": "c3d7c7a77312e4c9a0c94b519a73c0ae51d56abc",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4abee9603dd1238a925018eba0435941",
"payload_hash": "cfb14fe1e4e5d8f5efed4567757e3fba",
"path_pattern_hash": "07bb9306fa50af07f9ffa6d9d05639e6"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.staging HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:38.0) Gecko\/20100101 Firef",
"event_signature": "9b78910cdd4c1e8af8c555eeda50d53d0841bae9",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Moyen · 63
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
21
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950514:leak-1
http_sensitive_path
Cible HTTP
GET
/.env.development.local
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/.env.development.local
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Règles WAF
950326:rce-0
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /.env.development.local HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/5
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "local",
"http_ua_hash": "2b9ec38d3a388e07659997c47ff84ec95e7ef892",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "44b27fcf42134edd5dc872c2c6f931dc026ceb76",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 256,
"payload_entropy": 5.3953370957293885,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 92,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 92,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "f0e827e0238f0e9f85500f0d1f80a5bc39c81858",
"event_fingerprint": "7569ed4cc7c12212fc7482f442cd50562c5f7377",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b1e6b926d1b671d52d04fbb2c7c2cb4a",
"payload_hash": "705e5199271fa3944ad264c018475e27",
"path_pattern_hash": "66b5346fea2c0f881a6004f5150ea85e"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/.env.development.local HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/5",
"event_signature": "fe084f5b21a9333d6d56702310d98ec7edb65f51",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
35
Recommandation
Investiguer
Tags
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/v1/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/v1/.env
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 YaBrowser/19.7.3.172 Yowser/2.5 Safari/537.36
Règles WAF
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Payload (extrait)
GET /v1/.env HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Ge
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "env",
"http_ua_hash": "843826985604d07c966861fd7b6f38fd550e66f6",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "0f6d25494f66c35cd0bd7eb1054d443c9b0c6f63",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 268,
"payload_entropy": 5.4473369960752,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "6e9c7268073175810e1d974639ded1cb05f4a865",
"event_fingerprint": "20a09c97d3861da7eb3157b6c3f7eb0fb56f952a",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ff0a275ce4a567dd0e86c420c96ff2e2",
"payload_hash": "b2329c4878fa1c370140e9e73adc18a3",
"path_pattern_hash": "a29d1f8ccacc51ac2e54fe6653b8d5f0"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/v1\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Ge",
"event_signature": "c7c627a36b275f82eaf4067130dd46a23d90cf79",
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
46
Recommandation
Investiguer
Tags
950086:sqli-21
950316:lfi-14
950326:rce-0
950468:nosqli-3
Cible HTTP
GET
/api/v3/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/v3/.env
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 6.0; NCE-AL00 Build/HUAWEINCE-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044813 Mobile Safari/537.36 MMWEBID/6904…
Règles WAF
950086:sqli-21
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/v3/.env HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 6.0; NCE-AL00 Build/HUAWEINCE-AL00; wv
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "f15ad93a757d3fdce0c7cdc38860e8111c4a08b0",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "bd51d82ebe68616089e33c9b7e8bd3dca93e4339",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 408,
"payload_entropy": 5.561685319543199,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "bd4ca15c730ec1b88f5cc1275be4d59ae13adaf0",
"event_fingerprint": "6a46aa04dc421ebb1a06d276466e9e9e96352bfd",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5b4a616bd7fb9c7fa3410347ce5ef3b3",
"payload_hash": "044f6f963204d8e48b275327ea8b4c85",
"path_pattern_hash": "04909e92bace7d0131f14c363849c629"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/v3\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0; NCE-AL00 Build\/HUAWEINCE-AL00; wv",
"event_signature": "63d2ee3029d9ee35cc9ad1a9616b4fd5dcbb528e",
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
46
Recommandation
Investiguer
Tags
950086:sqli-21
950316:lfi-14
950326:rce-0
950468:nosqli-3
Cible HTTP
GET
/api/v2/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/v2/.env
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16D57 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN
Règles WAF
950086:sqli-21
950316:lfi-14
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950600:k8s-api
Payload (extrait)
GET /api/v2/.env HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebK
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 3,
"http_path_ext": "env",
"http_ua_hash": "83ee0834b60be67a9e2abde255ad72992dca2c81",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "cc4b30112d6bf6eb67e9d97dbf1e56d5dce1ab0e",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 302,
"payload_entropy": 5.490144815758981,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "bd4ca15c730ec1b88f5cc1275be4d59ae13adaf0",
"event_fingerprint": "028acbb34b76f299e422c4c20acd8cec6ad2c122",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "51c99b6efb8efd14a2242b25b0e96d8a",
"payload_hash": "6b17fc21348b4c0638d05c270a6b38a3",
"path_pattern_hash": "45a8106651a0a44c3f11053706f8aead"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/v2\/.env HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_4 like Mac OS X) AppleWebK",
"event_signature": "0cc15c27197ef1df24dc3b6ae58cae3ca93d1fde",
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950316:lfi-14",
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950600:k8s-api",
"http_probe_api",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:21 UTC
TCP
8091
web attack
Élevée
Élevé · 67
Détails
Voir
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
39
Recommandation
Investiguer
Tags
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/api/.env.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8091
Chemin / cible
/api/.env.bak
Confiance classification
100%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 6.0.1; MI 4W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
950326:rce-0
950468:nosqli-3
950470:nosqli-3
950514:leak-1
950521:leak-8
950600:k8s-api
Payload (extrait)
GET /api/.env.bak HTTP/1.1
Host: 62.3.50.33:8091
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; MI 4W) AppleWebKit/537.36 (KHT
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "bak",
"http_ua_hash": "63f64da39ee21dab88c1929eaaf9d9299d7c4153",
"http_host_hash": "b22ca25a7baac25858e9bd99f69f5034d25af4fc",
"http_target_hash": "db58915b70ec4f4897682eec5a7fd50dc2102271",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 254,
"payload_entropy": 5.413323471733691,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 67,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "086940220ba34b3a64bc4c07cd42628f2c7c88af",
"event_fingerprint": "7bd4359595eb44d81b83a567081217aa9f83ad37",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "41b7f89160c026995b940811973931cd",
"payload_hash": "ba4312312d0440806979dbfad3245ed2",
"path_pattern_hash": "704472054da186f49a4245e261c91fda"
},
"target_context": {
"dst_port": 8091,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 1,
"classification_confidence": 1,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/api\/.env.bak HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 6.0.1; MI 4W) AppleWebKit\/537.36 (KHT",
"event_signature": "349d8cf4fb751764e6c105bc3ab210cf0039e91e",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950468:nosqli-3",
"950470:nosqli-3",
"950514:leak-1",
"950521:leak-8",
"950600:k8s-api",
"http_backup_path",
"http_probe_api",
"http_sensitive_path",
"net_flood"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������8�۵#���!!k]�`p ��g�i%�;��A� 1�e�8�-��h}�DT߰�B��/�
��+����$��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.855131497087909,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "9cc150311b17ffdb87c6ae2840c03f0f",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd8\ufffd\u06f5#\u0001\u001b\ufffd!!k]\u0004`p \ufffd\ufffdg\ufffdi%\ufffd;\ufffd\ufffdA\ufffd 1\ufffde\ufffd8\u001d-\ufffd\ufffdh}\ufffdDT\u07f0\ufffdB\u000b\ufffd\/\ufffd\n\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd$\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "e4badee70f5b7f3753eba2ff2138bf313e618b19",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������[������!�y�R�E�Qʹ�d���_6ɻ�VE �����r���8��v�f��`�*���D�R�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.855731713447076,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "b0621b25ed741a0dfcccabe0efb63d77",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd[\ufffd\u000f\ufffd\u0017\ufffd\ufffd!\ufffdy\ufffdR\u001eE\ufffdQ\u0374\ufffdd\ufffd\ufffd\u0003_6\u027b\ufffdVE \ufffd\ufffd\ufffd\u0013\ufffdr\u0001\ufffd\u00068\u0001\ufffdv\ufffdf\ufffd\ufffd`\u000b*\ufffd\u0016\ufffdD\ufffdR\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "de19fa37d50944693a2b3f5f080f8b1bf02a75cc",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������<d�,�,����ą)�Ć�Q棍��8���??�p ��z�\8m'��<0�L�f���$X�:�9�<�|#�}�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.832387810547404,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "fe22ea088af1753de7258d9a4a981983",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003<d\u0001,\ufffd,\ufffd\ufffd\u0004\ufffd\u0105)\ufffd\u0106\u0007Q\u68cd\u001c\ufffd8\ufffd\ufffd\ufffd??\ufffdp \u0012\ufffdz\ufffd\\8m'\u0014\ufffd<0\u0011L\ufffdf\ufffd\ufffd\ufffd$X\ufffd:\ufffd9\ufffd<\ufffd|#\ufffd}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "beb5fbf6ca59aa9361631770ed9399d351842556",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������������M�9>��w��Of�0Y�X��A�ZW� E��f��Y8a0��urSy��]����D�D�^!���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.845722919366208,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "16af9bc86ddf1c5588342de3d8b835cc",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd9>\ufffd\ufffdw\ufffd\ufffdOf\ufffd0Y\ufffdX\ufffd\ufffdA\ufffdZW\ufffd E\ufffd\u001af\f\ufffdY8a0\ufffd\ufffdurSy\ufffd\ufffd]\ufffd\ufffd\u0019\ufffdD\u0006D\ufffd^!\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "c32ac467a7c8eb5ff9347dd3310b737d24fe3c7f",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������IXζ6��^�wύ��V���L�������ު1�� ����eX�_���;���e�a�Q�ؽL��)WS@���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.908427107052697,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "cc654dce77934f9a60a35af57db967cb",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003IX\u03b66\ufffd\ufffd^\u0013w\u03cd\ufffd\ufffdV\ufffd\ufffd\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u07aa1\ufffd\ufffd \ufffd\ufffd\u001e\ufffdeX\ufffd_\ufffd\u0013\ufffd;\u0002\ufffd\ufffde\u0010a\u0016Q\ufffd\u063dL\ufffd\u001a)WS@\u000f\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "ea014fe9d75015c9e71abc8526000d7f9bbc14c6",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������;��7b$}&6�t������tܑC���4x+���I ����Z�
����TR�|�Ī�h<��կ��i��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.845855481770757,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "1e83bd3817de63b4610d8be9b08b608b",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;\ufffd\ufffd7b$}&6\ufffdt\ufffd\ufffd\ufffd\u0012\u0019\ufffdt\u0711C\ufffd\ufffd\ufffd4x+\ufffd\ufffd\ufffdI \ufffd\ufffd\ufffd\ufffdZ\ufffd\r\ufffd\ufffd\ufffd\ufffdTR\u0018|\ufffd\u012a\u0015h<\ufffd\ufffd\u056f\ufffd\ufffdi\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "ab1cec8ea2feea4ef026f223b73185f4e3978a02",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������C���ށ*=��6������h����n���Y #���1ݟX��yɫVU$���4��O��Np
�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.818616973045582,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ad02374601d0776e909459fb8dd79e79",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0004\ufffd\ufffdC\ufffd\ufffd\ufffd\u0781*=\ufffd\u001b6\u0003\u0011\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\u0017Y #\ufffd\u001b\ufffd1\u075fX\u0017\ufffdy\u026bVU$\ufffd\u0005\ufffd4\u000f\ufffdO\u0012\ufffdNp\r\ufffd\u0007\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "55a899fed091728bc09ef27dffafc0700623877a",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������n�}�$�QR�� ���xģ�ixE��{��>�N Z<
�*�b .��z�ةK'���"S�ԭx�V�V���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.814337045467411,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "b758d3efe3944be36ca06b1d834d9a56",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0018n\ufffd}\ufffd$\ufffdQR\u0015\ufffd\t\ufffd\ufffd\ufffdx\u0123\ufffdixE\ufffd\u001e{\ufffd\ufffd>\ufffdN Z<\n\ufffd*\ufffdb\t.\ufffd\u001bz\ufffd\u0629K'\ufffd\ufffd\ufffd\"S\u0000\u052dx\ufffdV\ufffdV\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "b1320a2e5486ad7afc38ae66691d3d36c4469df4",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������e��?���Y�*��sׄ�a+_ˡb�����M��� Z^+̜���������q�0D�Ҫ;��=��{�
8�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.778095075112583,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "76af0f6354783e7823b7720991b7db84",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffde\ufffd\ufffd?\ufffd\ufffd\ufffdY\u001c*\ufffd\u0018s\u05c4\u0011a+_\u02e1b\ufffd\ufffd\u000b\ufffd\ufffdM\ufffd\ufffd\ufffd Z^+\u031c\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\ufffd\u0007q\ufffd0D\ufffd\u04aa;\ufffd\ufffd=\u0003\ufffd{\ufffd\n8\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "a9508b4479dc7c9d9107bc415b9e85301bfa8803",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������\Q� ��Di�'�u��_N�x�Yw�9B�R6['� ���\���{����"��'S��������������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.751574765571508,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "bccc8c49ba030a2937a0b6bd82f6f405",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\\Q\ufffd \ufffd\ufffdDi\ufffd'\ufffdu\ufffd\u0005_N\u001dx\ufffdYw\ufffd9B\u000eR6['\ufffd \ufffd\u0003\ufffd\\\ufffd\ufffd\u0012{\ufffd\ufffd\ufffd\u0018\"\u0003\u0004'S\u001a\ufffd\ufffd\u0012\ufffd\u0005\u000e\ufffd\u000e\ufffd\u001d\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "414cdc3ded2988196bd592e036268ec15b0c3922",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������/S�c���(>�;υ�Y��hY������ ẋg���r�rjH��?T?�������[Z�`���Q�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.871578337040196,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "aa43bef85b98d215cd6cae3c99544fc4",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0003\ufffd\/S\ufffdc\ufffd\ufffd\ufffd(>\ufffd;\u03c5\u0012\u0590Y\ufffd\ufffdhY\ufffd\u000e\ufffd\ufffd\ufffd\ufffd x\u0307g\u000f\ufffd\ufffdr\ufffdrjH\ufffd\u0007?T?\ufffd\ufffd\ufffd\u0003\ufffd\ufffd\ufffd[Z\ufffd`\u0017\ufffd\ufffdQ\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "0d8934fb4c6fe8c8e609887b86cac03a118aa347",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������J���Wa� �@4�VK��������|u9�� ��'�a��2N�KH<�7�G�qi�}��~�Pj�wU�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.904718172379221,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d785360af358fc1c5714221256f089ae",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffdWa\ufffd\t\ufffd@4\ufffdVK\ufffd\u0004\u0001\ufffd\ufffd\ufffd\u0015\ufffd|u9\u0012\ufffd \u0019\ufffd'\ufffda\ufffd\ufffd2N\ufffdKH<\ufffd7\ufffdG\ufffdqi\ufffd}\ufffd\ufffd~\ufffdPj\ufffdwU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "d769658738d68ec53d20c2b1f3f2cbb4e92b0e7a",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������9D5��x&��7�Ⱦ$Ʊp�!
�'y�ؽ�"� 1���I���۲!���K�+��0!KY�m�\��6�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.832520372951958,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "c137a2a06e2ee980bff49209a3d3436c",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00039D\u173e5\ufffd\ufffdx&\u001a\ufffd7\ufffd\u023e$\u01b1p\ufffd!\r\ufffd'y\u0016\u063d\u0016\"\ufffd 1\u0012\ufffd\ufffdI\ufffd\ufffd\ufffd\u06f2!\ufffd\ufffd\ufffdK\ufffd+\ufffd\ufffd0!KY\u0002m\ufffd\\\ufffd\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "fe743deaa96502e7efd3f23ee0e85e5afb6eb24a",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������@h��B���Y*�m��9��l��������� �'-?��E"����N�W.�k��J�jgq��4�x�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.908894761007314,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d8656f47bf65ac1ed021058c9d78baf0",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005\ufffd@h\ufffd\ufffdB\ufffd\ufffd\u0004Y*\ufffdm\ufffd\ufffd9\ufffd\ufffdl\ufffd\ufffd\ufffd\u0012\ufffd\u000e\u0003\ufffd\ufffd \u0019'-?\ufffd\ufffdE\"\ufffd\u001c\ufffd\ufffdN\ufffdW.\ufffdk\ufffd\ufffdJ\ufffdjgq\ufffd\ufffd4\ufffdx\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "cb22bd99738f353d03239acb0ab3b7df429fcf7a",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������FùA�����0��`2�E���e�6v"[8�Q��� �ߞP(J�q��ÝT��y�F��?�m��Ӆd��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.824078591197374,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "6e8ab9f81c03f226146c9c03dd893430",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdF\u00f9A\u0003\ufffd\u000e\ufffd\ufffd0\ufffd\ufffd`2\ufffdE\u0005\ufffd\ufffde\ufffd6v\"[8\ufffdQ\ufffd\ufffd\u001b \ufffd\u07deP(J\ufffdq\ufffd\u0013\u00ddT\u074c\u0019\ufffdy\ufffdF\ufffd\ufffd?\ufffdm\ufffd\u0000\u04c5d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "7b656a896ea2bba015bf60f0d293001ef03fafa0",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������m�
`�r�ޱ.V���4hxS�[K����<�$�zy� �9���;!�� U"��b
�@�A��*�ʶ�G��Pt�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.831287725833073,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ce6eae3567f554be0863550c32862ede",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\n`\ufffdr\ufffd\u07b1.V\ufffd\ufffd\u00194hxS\ufffd[K\ufffd\u0001\ufffd\ufffd<\u0017$\ufffdzy\u0014 \u00159\ufffd\u0019\u0017;!\ufffd\ufffd\tU\"\ufffd\ufffdb\r\ufffd@\ufffdA\u0003\u000e*\ufffd\u02b6\ufffdG\ufffd\ufffdPt\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "62123d0fb8a6135cf6732fb3bdabb971355f38b4",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������S����ܧ9�@YD��F:v
�9��G��O�-� ������
�LF���u����]y�>�w���������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.728299384418172,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "7e2c6ae026a37163b7b1d30aca5c6117",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0000\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffd\u07279\ufffd@YD\ufffd\ufffdF:v\n\ufffd9\ufffd\ufffdG\b\u0012O\u0014-\ufffd \ufffd\ufffd\ufffd\u0000\ufffd\ufffd\r\ufffdLF\u0011\u0013\ufffdu\ufffd\ufffd\u0001\ufffd]y\ufffd>\ufffdw\ufffd\ufffd\u0006\ufffd\u0013\ufffd\u0001\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "e1536a9a47a0da4beb52505d77cc83278686b853",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Wi��C>�[�Y����ѧ�LL�����8U]ΪU�� �#�������,�n�fM�O��?Xann����5���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.818075738173201,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "c11ad0f73c43109409003661b91328e3",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Wi\ufffd\ufffdC>\ufffd[\ufffdY\ufffd\ufffd\ufffd\u0016\u0467\ufffdLL\ufffd\u0001\ufffd\ufffd\ufffd8U]\u03aaU\u0002\ufffd \ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\ufffd,\ufffdn\ufffdfM\ufffdO\u0007\ufffd?Xann\ufffd\u0003\ufffd\ufffd5\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "8cbd431019cf3660c4707bc2899964de72f50bfb",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������rN����t����'�رpޗ%lƘ�K#�h�F4> �k�?�$�������C��T�۲�\{���6�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.86228424162576,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "cd3cf0612ad31bd8cb85a4c912114c0a",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003rN\u001b\ufffd\u0014\ufffdt\ufffd\ufffd\u0017\ufffd'\ufffd\u0631p\u0797%l\u0198\ufffdK#\ufffdh\ufffdF4> \ufffdk\ufffd?\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffdT\ufffd\u06f2\ufffd\\{\ufffd\ufffd\ufffd6\u000f\u001d\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "0e21734a77ebf968a7e53e9dec46e5002079352a",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������*�q��������A�0��StN�%���&��"�� ��8 ����9�_Ɩ�0B��@�M��ݨ� �}��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8702818551616005,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "eece7d4db87171abfce6f858fe98970d",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd*\ufffdq\ufffd\ufffd\u0000\ufffd\ufffd\ufffd\u0006\ufffdA\ufffd0\ufffd\ufffdStN\ufffd%\ufffd\u001e\ufffd&\ufffd\ufffd\"\u000f\ufffd \ufffd\ufffd8 \ufffd\u0018\ufffd\ufffd9\ufffd_\u0196\ufffd0B\ufffd\u001d@\ufffdM\ufffd\ufffd\u0768\ufffd\t\ufffd}\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "51f87a40a4570aae80c613090571c87f40c1ac6b",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������d7(_��^��U�HO�>�H�}�P����HR1ĭ ��W�i�+���l�� ����3r��!���h��r�h�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.816856032817601,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d59143ff9ca950d0c8877d4f4ff2775a",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdd7(_\ufffd\u0003^\u001d\ufffdU\ufffdHO\ufffd>\u001aH\ufffd}\ufffdP\ufffd\ufffd\ufffd\ufffdHR1\u012d \f\ufffdW\ufffdi\ufffd+\ufffd\u001c\ufffdl\u0019\ufffd\t\ufffd\ufffd\ufffd\ufffd3r\u0018\ufffd!\ufffd\b\ufffdh\ufffd\ufffdr\ufffdh\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "61a1de4fa3901c748e3e78ca1d167d0ad8468ef6",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������۠��
������ˣ�b�nFt�, ����a���� ��9(M?���*�������L1d����M�2�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.881282652161975,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "12625c039642ce70fb954b19cbc2442e",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u06e0\ufffd\u0011\r\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\u02e3\ufffdb\ufffdnFt\ufffd, \ufffd\u0016\ufffd\u000fa\ufffd\ufffd\ufffd\u001b \ufffd\ufffd9(M?\u0000\ufffd\ufffd*\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL1d\ufffd\ufffd\ufffd\ufffdM\ufffd2\ufffd\u001e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "b84d7546a1fc424cdd8d7d63d3aa344718c5c756",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������W�������%d�
�(b�t�u��Џ�;���
� �$�ix�\�n���k�Y��Y/ZF�>��}�K4tI�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.812382678423477,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "8a171ac10136ae76e5f507688f9ce400",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdW\u0006\ufffd\ufffd\ufffd\u001d\ufffd\ufffd%d\ufffd\r\ufffd(b\ufffdt\ufffdu\ufffd\ufffd\u040f\ufffd;\ufffd\u000e\ufffd\r\ufffd \u000e$\ufffdix\ufffd\\\ufffdn\ufffd\ufffd\ufffdk\ufffdY\ufffd\ufffdY\/ZF\ufffd>\ufffd\ufffd}\ufffdK4tI\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "23ceafd26e890730237342bce91691a46301940b",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
04/06/2026 14:40:20 UTC
TCP
8091
Sonde TLS
Élevée
Faible · 24
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8091
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������)>����?���B�Ig�y���H-f"�L�>�. /T�蛪��Enr�P����?�
���G����6����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.853952002413978,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "TW",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6d3768f3f6d91b623dfa7196fda17d1200491f65",
"event_fingerprint": "7fe7ee03db3da4542299c53670ccd563b3456b4c",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "TW",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "92d3b6667c3dd0b0f912007c68e8bbb7",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8091,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd)>\b\ufffd\ufffd\ufffd?\u0002\ufffd\ufffdB\u0016Ig\ufffdy\ufffd\ufffd\ufffdH-f\"\ufffdL\u0017>\ufffd. \/T\u0016\u86ea\u001d\ufffdEnr\ufffdP\ufffd\ufffd\u0012\u000e?\ufffd\n\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "8eebe4f4eb16b23833bfe8df9950d87d963d129d",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}